heierbtc/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rename nix-bitcoin-services.nix -> lib.nix

Browse Source
This commit is contained in:
Erik Arvstedt 2021-02-03 22:44:41 +01:00 committed by nixbitcoin
parent c0abae97a4
commit a26ed03d77
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
15 changed files with 81 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -82,7 +82,7 @@ Security
---
* **Simplicity:** Only services you select in `configuration.nix` and their dependencies are installed, packages and dependencies are [pinned](pkgs/nixpkgs-pinned.nix), most packages are built from the [NixOS stable channel](https://github.com/NixOS/nixpkgs/tree/nixos-20.09), with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a [sandboxed environment](https://nixos.org/manual/nix/stable/#conf-sandbox), code is continuously reviewed and refined.
* **Integrity:** Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
* **Principle of Least Privilege:** Services operate with least privileges; they each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix), [RPC whitelisting](modules/bitcoind-rpc-public-whitelist.nix), and [netns-isolation](modules/netns-isolation.nix). There's a non-root user *operator* to interact with the various services.
* **Principle of Least Privilege:** Services operate with least privileges; they each have their own user and are restricted further with [systemd options](pkgs/lib.nix), [RPC whitelisting](modules/bitcoind-rpc-public-whitelist.nix), and [netns-isolation](modules/netns-isolation.nix). There's a non-root user *operator* to interact with the various services.
* **Defense-in-depth:** nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default, services are confined through discretionary access control, Linux namespaces, [dbus firewall](modules/security.nix) and seccomp-bpf with continuous improvements.
Note that if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself.

16
modules/bitcoind.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.bitcoind;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
configFile = pkgs.writeText "bitcoin.conf" ''
@ -291,7 +291,7 @@ in {
'';
description = "Binary to connect with the bitcoind instance.";
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
};
@ -348,7 +348,7 @@ in {
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
fi
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
Type = "notify";
NotifyAccess = "all";
User = "${cfg.user}";
@ -359,9 +359,9 @@ in {
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP)
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol;
then nbLib.allowTor
else nbLib.allowAnyIP)
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
};
# Use this to update the banlist:
@ -382,11 +382,11 @@ in {
fi
done
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
User = "${cfg.user}";
Group = "${cfg.group}";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.allowTor;
} // nbLib.allowTor;
};
users.users.${cfg.user} = {

18
modules/btcpayserver.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
in {
options.services = {
@ -44,7 +44,7 @@ in {
internal = true;
default = cfg.btcpayserver.enable;
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
btcpayserver = {
@ -90,7 +90,7 @@ in {
example = "btcpayserver";
description = "The prefix for root-relative btcpayserver URLs.";
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
};
@ -132,7 +132,7 @@ in {
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)" \
>> '${cfg.nbxplorer.dataDir}/settings.config'
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
--datadir=${cfg.nbxplorer.dataDir}
@ -143,8 +143,8 @@ in {
ReadWritePaths = cfg.nbxplorer.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.nbxplorer.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
then nbLib.allowTor
else nbLib.allowAnyIP
);
};
@ -181,7 +181,7 @@ in {
} >> ${cfg.btcpayserver.dataDir}/settings.config
''}
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${cfg.btcpayserver.dataDir}/settings.config \
--datadir=${cfg.btcpayserver.dataDir}
@ -192,8 +192,8 @@ in {
ReadWritePaths = cfg.btcpayserver.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.btcpayserver.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
then nbLib.allowTor
else nbLib.allowAnyIP
);
}; in self;

10
modules/clightning.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.clightning;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest";
configFile = pkgs.writeText "config" ''
@ -91,7 +91,7 @@ in {
If left empty, no address is announced.
'';
};
inherit (nix-bitcoin-services) enforceTor;
inherit (nbLib) enforceTor;
};
config = mkIf cfg.enable {
@ -135,15 +135,15 @@ in {
} >> '${cfg.dataDir}/config'
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
User = "${cfg.user}";
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
then nbLib.allowTor
else nbLib.allowAnyIP
);
# Wait until the rpc socket appears
postStart = ''

10
modules/electrs.nix
View File

@ -3,7 +3,7 @@
with lib;
let
cfg = config.services.electrs;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
bitcoind = config.services.bitcoind;
in {
@ -51,7 +51,7 @@ in {
default = "";
description = "Extra command line arguments passed to electrs.";
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
config = mkIf cfg.enable {
@ -76,7 +76,7 @@ in {
echo "cookie = \"${bitcoind.rpc.users.public.name}:$(cat ${secretsDir}/bitcoin-rpcpassword-public)\"" \
> electrs.toml
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
RuntimeDirectory = "electrs";
RuntimeDirectoryMode = "700";
WorkingDirectory = "/run/electrs";
@ -104,8 +104,8 @@ in {
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
then nbLib.allowTor
else nbLib.allowAnyIP
);
};

6
modules/joinmarket-ob-watcher.nix
View File

@ -3,7 +3,7 @@
with lib;
let
cfg = config.services.joinmarket-ob-watcher;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
configFile = builtins.toFile "config" ''
@ -76,7 +76,7 @@ in {
preStart = ''
ln -snf ${configFile} ${cfg.dataDir}/joinmarket.cfg
'';
serviceConfig = nix-bitcoin-services.defaultHardening // rec {
serviceConfig = nbLib.defaultHardening // rec {
StateDirectory = "joinmarket-ob-watcher";
StateDirectoryMode = "0770";
WorkingDirectory = "${cfg.dataDir}"; # The service creates dir 'logs' in the working dir
@ -87,7 +87,7 @@ in {
User = cfg.user;
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.allowTor;
} // nbLib.allowTor;
};
users.users.${cfg.user} = {

16
modules/joinmarket.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.joinmarket;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
secretsDir = config.nix-bitcoin.secretsDir;
@ -137,7 +137,7 @@ in {
readOnly = true;
default = true;
};
inherit (nix-bitcoin-services) cliExec;
inherit (nbLib) cliExec;
};
config = mkIf cfg.enable (mkMerge [{
@ -177,15 +177,15 @@ in {
requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ];
path = [ pkgs.sudo ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStartPre = nix-bitcoin-services.privileged ''
serviceConfig = nbLib.defaultHardening // {
ExecStartPre = nbLib.privileged ''
install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
sed -i \
"s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
'${cfg.dataDir}/joinmarket.cfg'
'';
# Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
ExecStartPost = mkIf (bitcoind.network == "mainnet") (nix-bitcoin-services.privileged ''
ExecStartPost = mkIf (bitcoind.network == "mainnet") (nbLib.privileged ''
walletname=wallet.jmdat
pw=$(cat "${secretsDir}"/jm-wallet-password)
mnemonic=${secretsDir}/jm-wallet-seed
@ -207,7 +207,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.allowTor;
} // nbLib.allowTor;
};
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
@ -239,14 +239,14 @@ in {
pw=$(cat "${secretsDir}"/jm-wallet-password)
echo "echo -n $pw | ${start}" > $RUNTIME_DIRECTORY/start
'';
serviceConfig = nix-bitcoin-services.defaultHardening // rec {
serviceConfig = nbLib.defaultHardening // rec {
RuntimeDirectory = "joinmarket-yieldgenerator"; # Only used to create start script
RuntimeDirectoryMode = "700";
WorkingDirectory = "${cfg.dataDir}"; # The service creates dir 'logs' in the working dir
ExecStart = "${pkgs.bash}/bin/bash /run/${RuntimeDirectory}/start";
User = "${cfg.user}";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.allowTor;
} // nbLib.allowTor;
};
})
]);

10
modules/lightning-loop.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.lightning-loop;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
network = config.services.bitcoind.network;
rpclisten = "${cfg.rpcAddress}:${toString cfg.rpcPort}";
@ -80,7 +80,7 @@ in {
'';
description = "Binary to connect with the lightning-loop instance.";
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
config = mkIf cfg.enable {
@ -96,15 +96,15 @@ in {
wantedBy = [ "multi-user.target" ];
requires = [ "lnd.service" ];
after = [ "lnd.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
User = "lnd";
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP);
then nbLib.allowTor
else nbLib.allowAnyIP);
};
nix-bitcoin.secrets = {

10
modules/liquid.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.liquidd;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
secretsDir = config.nix-bitcoin.secretsDir;
pidFile = "${cfg.dataDir}/liquidd.pid";
@ -203,7 +203,7 @@ in {
'';
description = "Binary for managing liquid swaps.";
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
};
@ -232,7 +232,7 @@ in {
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/elements.conf'
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
Type = "simple";
User = "${cfg.user}";
Group = "${cfg.group}";
@ -241,8 +241,8 @@ in {
Restart = "on-failure";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
then nbLib.allowTor
else nbLib.allowAnyIP
);
};

18
modules/lnd.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.lnd;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
bitcoind = config.services.bitcoind;
@ -144,7 +144,7 @@ in {
If left empty, no address is announced.
'';
};
inherit (nix-bitcoin-services) enforceTor;
inherit (nbLib) enforceTor;
};
config = mkIf cfg.enable {
@ -186,7 +186,7 @@ in {
''}
} >> '${cfg.dataDir}/lnd.conf'
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons
RuntimeDirectoryMode = "711";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
@ -198,7 +198,7 @@ in {
restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1";
in [
# Run fully privileged for secrets dir write access
"+${nix-bitcoin-services.script ''
"+${nbLib.script ''
attempts=250
while ! { exec 3>/dev/tcp/${cfg.restAddress}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do
((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; }
@ -215,7 +215,7 @@ in {
fi
chown lnd: "$mnemonic"
''}"
"${nix-bitcoin-services.script ''
"${nbLib.script ''
if [[ ! -f ${networkDir}/wallet.db ]]; then
echo Create lnd wallet
@ -248,7 +248,7 @@ in {
''}"
# Run fully privileged for chown
"+${nix-bitcoin-services.script ''
"+${nbLib.script ''
umask ug=r,o=
${lib.concatMapStrings (macaroon: ''
echo "Create custom macaroon ${macaroon}"
@ -265,9 +265,9 @@ in {
''}"
];
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ
then nbLib.allowTor
else nbLib.allowAnyIP
) // nbLib.allowAnyProtocol; # For ZMQ
};
users.users.lnd = {

10
modules/modules.nix
View File

@ -35,17 +35,17 @@ with lib;
disabledModules = [ "services/networking/bitcoind.nix" ];
options = {
nix-bitcoin-services = mkOption {
readOnly = true;
default = import ./nix-bitcoin-services.nix lib pkgs;
};
nix-bitcoin = {
pkgs = mkOption {
type = types.attrs;
default = (import ../pkgs { inherit pkgs; }).modulesPkgs;
};
lib = mkOption {
readOnly = true;
default = import ../pkgs/lib.nix lib pkgs;
};
# Torify binary that works with custom Tor SOCKS addresses
# Related issue: https://github.com/NixOS/nixpkgs/issues/94236
torify = mkOption {

4
modules/onion-addresses.nix
View File

@ -10,7 +10,7 @@ with lib;
let
cfg = config.nix-bitcoin.onionAddresses;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
in {
options.nix-bitcoin.onionAddresses = {
access = mkOption {
@ -47,7 +47,7 @@ in {
wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
Type = "oneshot";
RemainAfterExit = true;
StateDirectory = "onion-addresses";

10
modules/recurring-donations.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.recurring-donations;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
LNCLI="${config.nix-bitcoin.pkgs.clightning}/bin/lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
pay_tallycoin() {
@ -75,7 +75,7 @@ in {
Random delay to add to scheduled time for donation. Default is one day.
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
enforceTor = nbLib.enforceTor;
};
config = mkIf cfg.enable {
@ -93,13 +93,13 @@ in {
requires = [ "clightning.service" ];
after = [ "clightning.service" ];
path = with pkgs; [ nix-bitcoin.clightning curl sudo jq ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations";
Type = "oneshot";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP);
then nbLib.allowTor
else nbLib.allowAnyIP);
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

12
modules/spark-wallet.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.spark-wallet;
inherit (config) nix-bitcoin-services;
nbLib = config.nix-bitcoin.lib;
# Use wasabi rate provider because the default (bitstamp) doesn't accept
# connections through Tor
@ -54,7 +54,7 @@ in {
encodes an URL for accessing the web interface.
'';
};
inherit (nix-bitcoin-services) enforceTor;
inherit (nbLib) enforceTor;
};
config = mkIf cfg.enable {
@ -73,14 +73,14 @@ in {
requires = [ "clightning.service" ];
after = [ "clightning.service" ];
script = startScript;
serviceConfig = nix-bitcoin-services.defaultHardening // {
serviceConfig = nbLib.defaultHardening // {
User = "spark-wallet";
Restart = "on-failure";
RestartSec = "10s";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP)
// nix-bitcoin-services.nodejs;
then nbLib.allowTor
else nbLib.allowAnyIP)
// nbLib.nodejs;
};
nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";
};

10
modules/nix-bitcoin-services.nix → pkgs/lib.nix
View File

@ -1,9 +1,9 @@
# See `man systemd.exec` and `man systemd.resource-control` for an explanation
# of the various systemd options available through this module.
lib: pkgs:
with lib;
# See `man systemd.exec` and `man systemd.resource-control` for an explanation
# of the systemd-related options available through this module.
let self = {
# These settings roughly follow systemd's "strict" security profile
defaultHardening = {
@ -46,8 +46,8 @@ let self = {
type = types.bool;
default = false;
description = ''
"Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;";
Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;
'';
};