Merge fort-nix/nix-bitcoin#414: Update nixpkgs-unstable, fix whitelisting local services

aada35fc7b minor improvements (Erik Arvstedt) 1da23cd933 bitcoind, liquidd: add whitelisted socket (Erik Arvstedt) 8c3a88b2e8 update nixpkgs-unstable (Erik Arvstedt) cc3d43f4e9 bitcoind: set onionPort in bitcoind module (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK aada35fc7b Tree-SHA512: cd9ea2386bd28b0b1fc6a9c1691022f9c4ce40bb92acc6606b4ca55cf8cc57fe20e9bd3d19255c345c4015b1a13d2f292c035c2a05a421031859026f50c7ce20
2021-10-30 15:36:43 +00:00 · 2021-10-30 15:36:43 +00:00 · 3e018d0263
commit 3e018d0263
parent 20d4240919 aada35fc7b
13 changed files with 97 additions and 57 deletions
--- a/README.md
+++ b/README.md
@ -101,6 +101,7 @@ Docs

 Troubleshooting
 ---
-If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.
-There's also a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).
+If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.\
+There's also a Matrix room at [#general:nixbitcoin.org](https://matrix.to/#/#general:nixbitcoin.org)
+and a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).\
 We are always happy to help.
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@ -24,7 +24,7 @@
  # modules by commenting out their respective line.

  ### BITCOIND
-  # Bitcoind is enabled by default.
+  # Bitcoind is enabled by default via secure-node.nix.
  #
  # Set this option to enable pruning with a specified MiB value.
  # clightning is compatible with pruning. See
--- a/flake.lock
+++ b/flake.lock
@ -33,16 +33,16 @@
    },
    "nixpkgsUnstable": {
      "locked": {
-        "lastModified": 1633514490,
-        "narHash": "sha256-wQrUBgyF4EXlz9HgEHrQEj9vbgh6+nO8iXc3XCTQkLA=",
+        "lastModified": 1635295995,
+        "narHash": "sha256-sGYiXjFlxTTMNb4NSkgvX+knOOTipE6gqwPUQpxNF+c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1c1b567985bd1be77601657562ed20299d169529",
+        "rev": "22a500a3f87bbce73bd8d777ef920b43a636f018",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -6,7 +6,7 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
-    nixpkgsUnstable.url = "github:NixOS/nixpkgs/master";
+    nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -17,12 +17,35 @@ let
      };
      onionPort = mkOption {
        type = types.nullOr types.port;
-        default = null;
+        # When the bitcoind onion service is enabled, add an onion-tagged socket
+        # to distinguish local connections from Tor connections
+        default = if (config.nix-bitcoin.onionServices.bitcoind.enable or false) then 8334 else null;
        description = ''
          Port to listen for Tor peer connections.
          If set, inbound connections to this port are tagged as onion peers.
        '';
      };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 8335;
+        description = "See `listenWhitelisted`.";
+      };
      getPublicAddressCmd = mkOption {
        type = types.str;
        default = "";
@ -145,11 +168,6 @@ let
          With `only-outgoing`, incoming i2p connections are disabled.
        '';
      };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Accept incoming connections.";
-      };
      dataDirReadableByGroup = mkOption {
        type = types.bool;
        default = false;
@ -271,15 +289,17 @@ let
    ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}

    # Connection options
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
    ${optionalString cfg.listen
      "bind=${cfg.address}:${toString cfg.port}"}
    ${optionalString (cfg.listen && cfg.onionPort != null)
      "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
    ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
    ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
    ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}

-    listen=${if cfg.listen then "1" else "0"}
    ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
    ${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}

--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -116,25 +116,20 @@ in {
          "getpeerinfo"
        ];
      };
-      # Enable p2p connections
-      listen = true;
-      extraConfig = ''
-        whitelist=download@${nbLib.address cfg.nbxplorer.address}
-      '';
+      listenWhitelisted = true;
    };
    services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
-    services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
-    services.liquidd = mkIf cfg.btcpayserver.lbtc {
+    services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
      enable = true;
-      # Enable p2p connections
-      listen = true;
-    };
-
-    services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
+      macaroons.btcpayserver = {
        inherit (cfg.btcpayserver) user;
        permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
      };
-
+    };
+    services.liquidd = mkIf cfg.btcpayserver.lbtc {
+      enable = true;
+      listenWhitelisted = true;
+    };
    services.postgresql = {
      enable = true;
      ensureDatabases = [ "btcpaydb" ];
@ -154,14 +149,14 @@ in {
        network=${bitcoind.network}
        btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
        btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
-        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.port}
+        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
        bind=${cfg.nbxplorer.address}
        port=${toString cfg.nbxplorer.port}
        ${optionalString cfg.btcpayserver.lbtc ''
          chains=btc,lbtc
          lbtcrpcuser=${liquidd.rpcuser}
          lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
-          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.port}
+          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address bitcoind.whitelistedPort}
        ''}
      '';
    in {
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -91,8 +91,10 @@ let
    ${cfg.extraConfig}
  '';

-  # If the clightning onion service is enabled, use the onion port as the public port
-  publicPort = if config.nix-bitcoin.onionServices.clightning.enable or false then
+  # If a public clightning onion service is enabled, use the onion port as the public port
+  publicPort = if (config.nix-bitcoin.onionServices.clightning.enable or false)
+                  && config.nix-bitcoin.onionServices.clightning.public
+               then
                 (builtins.elemAt config.services.tor.relay.onionServices.clightning.map 0).port
               else
                 cfg.port;
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -58,9 +58,7 @@ in {

    services.bitcoind = {
      enable = true;
-      # Enable p2p connections
-      listen = true;
-      extraConfig = "whitelist=download@${nbLib.address cfg.address}";
+      listenWhitelisted = true;
    };

    systemd.tmpfiles.rules = [
@ -88,7 +86,7 @@ in {
          --electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
          --monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
          --daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
-          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \
+          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
          ${cfg.extraArgs}
        '';
        User = cfg.user;
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -15,6 +15,37 @@ let
        default = 7042;
        description = "Override the default port on which to listen for connections.";
      };
+      onionPort = mkOption {
+        type = types.nullOr types.port;
+        # When the liquidd onion service is enabled, add an onion-tagged socket
+        # to distinguish local connections from Tor connections
+        default = if (config.nix-bitcoin.onionServices.liquidd.enable or false) then 7043 else null;
+        description = ''
+          Port to listen for Tor peer connections.
+          If set, inbound connections to this port are tagged as onion peers.
+        '';
+      };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 7044;
+        description = "See `listenWhitelisted`.";
+      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@ -70,13 +101,6 @@ let
        default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
        description = "Connect through SOCKS5 proxy";
      };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, the liquid service will listen.
-        '';
-      };
      dbCache = mkOption {
        type = types.nullOr (types.ints.between 4 16384);
        default = null;
@ -153,10 +177,14 @@ let
    ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}

    # Connection options
-    ${optionalString cfg.listen "bind=${cfg.address}"}
-    port=${toString cfg.port}
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
+    ${optionalString cfg.listen
+      "bind=${cfg.address}:${toString cfg.port}"}
+    ${optionalString (cfg.listen && cfg.onionPort != null)
+      "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
    ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
-    listen=${if cfg.listen then "1" else "0"}

    # RPC server options
    rpcport=${toString cfg.rpc.port}
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -43,14 +43,14 @@ let
    };

    netns = mkOption {
-      default = netns;
      readOnly = true;
+      default = netns;
      description = "Exposes netns parameters.";
    };

    bridgeIp = mkOption {
-      default = bridgeIp;
      readOnly = true;
+      default = bridgeIp;
      description = "IP of the netns bridge interface.";
    };
  };
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@ -118,10 +118,6 @@ in {
          externalPort = 80;
        };
      };
-
-      # When the bitcoind onion service is enabled, add an onion-tagged socket
-      # to distinguish local connections from Tor connections
-      services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
    }
  ];
 }
--- a/test/tests.nix
+++ b/test/tests.nix
@ -74,16 +74,14 @@ let
      tests.charge-lnd = cfg.charge-lnd.enable;

      tests.electrs = cfg.electrs.enable;
-      # Sigterm is broken during IBD in version 0.9.0 https://github.com/romanz/electrs/issues/532
-      systemd.services.electrs.serviceConfig.KillSignal = "SIGKILL";

      tests.liquidd = cfg.liquidd.enable;
      services.liquidd.extraConfig = mkIf config.test.noConnections "connect=0";

      tests.btcpayserver = cfg.btcpayserver.enable;
      services.btcpayserver = {
-        lightningBackend = "lnd";
-        lbtc = true;
+        lightningBackend = mkDefault "lnd";
+        lbtc = mkDefault true;
      };
      # Needed to test macaroon creation
      environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);
--- a/test/tests.py
+++ b/test/tests.py
@ -201,6 +201,8 @@ def _():
        f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq",
        '"version"',
    )
+    # Test web server response
+    assert_matches(f"curl -L {ip('btcpayserver')}:23000", "Welcome to your BTCPay&nbsp;Server")

@test("spark-wallet")
 def _():