Commit Graph

593 Commits

Author SHA1 Message Date
Erik Arvstedt
8616254d63
bitcoind-rpc-public-whitelist: remove waitfornewblock
This is an internal testing function and it's no longer used by electrs.
2021-11-02 17:40:43 +01:00
Erik Arvstedt
49086abcc5
liquidd: use systemd startup notification 2021-11-02 17:40:43 +01:00
Jonas Nick
bac8518e7c
secure-node: stop pruning liquidd
There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
2021-10-31 14:37:56 +00:00
Jonas Nick
347a0f3aee
secure-node: add dummy option to determine if the preset is enabled
This is useful for versioning.nix.
2021-10-31 14:00:46 +00:00
Erik Arvstedt
aada35fc7b
minor improvements
- README: add matrix room

- examples/configuration.nix: explain why bitcoind is enabled by default

- btcpayserver: group lnd service settings

- clightning:
  Use public onion port only when the onion service is public

  This allows users to enable the onion service while announcing a
  non-onion public address.

- netns-isolation: move `readOnly` attr to the top

- tests: use mkDefault to allow for easier overriding

- tests/btcpayserver: test web server response
2021-10-30 15:34:48 +02:00
Erik Arvstedt
1da23cd933
bitcoind, liquidd: add whitelisted socket
This allows whitelisting local services without implicitly
whitelisting all inbound onion connections, which would happen when
setting bitcoind/liquidd option `whitelist=localhost`.

Used by electrs and nbxplorer, which requires the unsafe `mempool`
permission.
2021-10-29 18:28:31 +02:00
Erik Arvstedt
8c3a88b2e8
update nixpkgs-unstable
Switch back from nixpkgs master to unstable.

Pkg updates:
btcpayserver: 1.2.3 -> 1.2.4
electrs: 0.9.0 -> 0.9.1
elementsd: 0.18.1.12 -> 0.21.0
lightning-pool: 0.5.0-alpha -> 0.5.1-alpha
nbxplorer: 2.2.5 -> 2.2.11

- liquidd:
  add `onionPort` like in bitcoind

- tests/electrs:
  remove KillSignal workaround
2021-10-29 17:59:25 +02:00
Erik Arvstedt
cc3d43f4e9
bitcoind: set onionPort in bitcoind module
This removes the module-level dependency from onion-services to
bitcoind.
Due to the `or false` fallback, there's no dependency added in
the reverse direction.

In particular, this allows us to not add a dependency on liquidd in
the following commit.
2021-10-28 22:24:24 +02:00
Jonas Nick
20d4240919
Merge fort-nix/nix-bitcoin#410: joinmarket: 0.9.2 -> 0.9.3
d5ce1c43a8 test: make joinmarket work with regtest (nixbitcoin)
a10aa21c69 joinmarket: 0.9.2 -> 0.9.3 (nixbitcoin)
721ba1aeba python-packages: separate `specific-versions` pkgs (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK d5ce1c43a8
  jonasnick:
    light utACK d5ce1c43a8

Tree-SHA512: 5ddccbf9a88640086d14051283b59e704364d4d5f3f6aa6c698d88d8a6634ac9a7b525b11cf1670c9aaa6a797635bc23e135972d9bc8c909ec51b58fe57e8f5c
2021-10-28 09:50:22 +00:00
nixbitcoin
d5ce1c43a8
test: make joinmarket work with regtest 2021-10-27 16:08:28 +02:00
nixbitcoin
a10aa21c69
joinmarket: 0.9.2 -> 0.9.3 2021-10-27 16:02:59 +02:00
kon
b6d1928e90 clightning: add public port
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
2021-10-26 21:34:33 +02:00
Jonas Nick
bfe8ac972c
Merge fort-nix/nix-bitcoin#405: bitcoind: add separate p2p socket for tor connections
ec4a4dbe41 btcpayserver: fix whitelist security issue (Erik Arvstedt)
df2070b44a bitcoind: add separate p2p socket for tor connections (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ec4a4dbe41

Tree-SHA512: 457bfb5806dca65507261c1868ca89c86a39f63bd10833b7531fd74dd779816083270c8ccc95ad08a5306e9b31c440904e3cba35464d47c0d87418d0be3e732d
2021-10-21 12:17:17 +00:00
Erik Arvstedt
ec4a4dbe41
btcpayserver: fix whitelist security issue
Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.

Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.

After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
2021-10-21 11:40:40 +02:00
Erik Arvstedt
df2070b44a
bitcoind: add separate p2p socket for tor connections
This re-enables onion tagging while still supporting untagged connections.

Onion sockets are not yet supported in the latest liquidd/elements
version 0.18.1.12 available on nixpkgs.
2021-10-21 11:40:40 +02:00
Jonas Nick
8b1b06311d
Merge fort-nix/nix-bitcoin#406: bitcoind: one-option i2p support
63836127c9 bitcoind: one-option i2p support (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 63836127c9
  jonasnick:
    utACK 63836127c9

Tree-SHA512: be7806657885ba455e7137dfc8c20ea4d58898b04db030a964aafbde1c505041a1f9e700654ad9c75ab2bb9267174bdbe84c9d7e4de63a09508b72fbd5c8f1a1
2021-10-15 11:02:09 +00:00
Jonas Nick
2250b9bcb7
Merge fort-nix/nix-bitcoin#408: joinmarket: 0.9.1 -> 0.9.2
3781a85c9b joinmarket: enable Agora as a third IRC server (nixbitcoin)
ced1637d07 joinmarket: share IRC server definitions between jm and ob-watcher (Erik Arvstedt)
59fc003ebd joinmarket: 0.9.1 -> 0.9.2 (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 3781a85c9b

Tree-SHA512: 5ec919d2291ecf96fb4ca880f3dbeabff13f2bab71822db893ebbaba1b95463666b098ccc1412a1b56f327a231e10c1f2d47feb0f520fce349ab243d398bf7b4
2021-10-15 10:58:01 +00:00
nixbitcoin
3781a85c9b
joinmarket: enable Agora as a third IRC server 2021-10-13 14:45:52 +02:00
Erik Arvstedt
ced1637d07
joinmarket: share IRC server definitions between jm and ob-watcher
Also add server name comments.
2021-10-13 14:44:36 +02:00
kon
40ab4b368a add lnd TimoutSec 2021-10-12 21:56:59 +02:00
nixbitcoin
63836127c9
bitcoind: one-option i2p support 2021-10-12 10:22:09 +00:00
Erik Arvstedt
8938eadf0c
bitcoind: don't tag all incoming connections as 'Tor'
We're also accepting local, non-Tor connections.
2021-10-06 16:55:41 +02:00
Erik Arvstedt
75b89f3957
electrs: adapt to version 0.9.0
- `waitfornewblock` was previously not included in the public RPC
  whitelist because it's reserved for testing and marked as hidden
  in bitcoind.

- electrs changed its verbosity settings. `-vv` is now the best choice
  for normal usage.

- bitcoind option `dataDirReadableByGroup` is now unused.
  Because it can be valuable for other use cases and implementing
  it is intricate, we're keeping it for now.

- test: keep `nc` connection open because otherwise the electrs
  RPC server would now close the connection before sending a response.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
6d694a6269
backups: allow extraFiles to override default settings
By moving them to the top they take precedence over the remaining
filelist entries.
2021-10-06 11:27:52 +02:00
Erik Arvstedt
0c45415c86
backups: exclude bitcoind, liquidd txindex data 2021-10-06 11:27:52 +02:00
Erik Arvstedt
b73c093d3d
joinmarket-ob-watcher: require nix-bitcoin.service
This caused failures in the tests which were ignored because
ob-watcher was expected to fail for other reasons.
2021-10-06 11:27:47 +02:00
Erik Arvstedt
c8251cdad7
onion-services: don't always enable Tor
Previously, Tor was always enabled because `cfg` was always nonempty
(via definitions at `Set sensible defaults for some services`).
Now only enable Tor if there are active onion services.

Also rename var `services` -> `onionServices` to improve readability in
section `Set getPublicAddressCmd ...` where the same name is also used for
option `config.services`.
2021-10-05 15:11:41 +02:00
Erik Arvstedt
4d5bc810eb
secrets: fix setup-secrets in case of no secrets
Previously, the glob (*) returned '*' when no files existed in the
secrets dir, leading to error `chown: cannot access '*'`.

Now `unprocessedFiles` is empty when there are no secrets.

Also remove the unneeded sorting of `unprocessedFiles` and
remove redundant leading zero in the default mode.
2021-10-04 00:33:27 +02:00
Erik Arvstedt
a92d6a8e80
netns: expose bridgeIp as an option
Previously, this variable was not accessible to other modules.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
- `discover` is automatically disabled by bitcoind because we're
   setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Erik Arvstedt
09169365d8
liquid: remove unused features
- `hexStr` is unused
- Simplify ExecStart options
- Quote `dataDir`
- Remove unneeded `pidFile` setting
2021-10-04 00:33:26 +02:00
Erik Arvstedt
82d910e937
nbxplorer: fix bitcoind, liquidd settings
- Add nbxplorer to whitelists.
  This is recommended by the nbxplorer docs and guarantees that nbxplorer
  can always p2p-connect to bitcoind/liquidd.

- Enable bitcoind/liquidd p2p servers via `listen`.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f61e928139
services: support 0.0.0.0/:: in address options
Previously, client services didn't decode these special INADDR_ANY
addresses and failed to connect.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
1848c3dd98
btcpayserver: minor improvements
- Quote datadir
- Extract liquidd service variable
- Move btcpayserver below liquid in modules list because it depends
  on liquid
2021-10-01 11:52:57 +02:00
Erik Arvstedt
e561637600
minor fixes
- bitcoind: Remove obsolete defaultText
- clightning: Fix description
  Option `address` can't be used to specify a socket path because it's
  used explicitly as an IP address in many places.
- lnd: Break up overlong line
  This is required by commit `services: support 0.0.0.0/:: in `address` options`
- nix-bitcoin.nix: Formatting
- secrets: Improve descriptions
2021-10-01 11:52:56 +02:00
Jonas Nick
5626558222
Merge fort-nix/nix-bitcoin#397: backups: make extraFiles list of strings
c483f1694d examples: correct localBackups scp command (nixbitcoin)
cb54891484 backups: make extraFiles list of strings (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK c483f1694d

Tree-SHA512: cb178382655e70aaf85f5930ec7a2c631c28e4c447d0b5d02d973eb73e3bd902ab091cc496d79efbfba5355b9574cb5ba6dd5a4d395b0cda4e3da715fd88d9c5
2021-09-25 10:34:51 +00:00
nixbitcoin
cb54891484
backups: make extraFiles list of strings 2021-09-24 11:38:47 +00:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Erik Arvstedt
9114ec669a
lnd: improve options formatting 2021-09-16 12:51:00 +02:00
Erik Arvstedt
c8774375d3
modules: use consistent service variables
Benefits of adding top-level variables for used services:
- Makes it obvious which other services are referenced by a service
- Less code

We already do this in many other places.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
ad97c268c6
modules: move user/group options to bottom
These are insignificant, generic options; place them above readonly options.
We already do this in other services.

Also move user/group config to bottom in spark-wallet.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
27c45b82cc
modules: move options to the top
This greatly improves readability and makes it easier to discover options.

This commit was genereated by running the following script inside the
repo root dir:

#!/usr/bin/env ruby

def transform(src)
  return false if src.include?('inherit options;')

  success = false

  options = nil
  src.sub!(/^  options.*?^  }.*?;/m) do |match|
    options = match
    "  inherit options;"
  end
  return false if !options

  src.sub!(/^with lib;\s*let\n+/m) do |match|
    success = true
    <<~EOF
      with lib;
      let
      #{options}

    EOF
  end

  success
end

Dir['modules/**/*.nix'].each do |f|
  src = File.read(f)
  if transform(src)
    puts "Changed file #{f}"
    File.write(f, src)
  end
end
2021-09-13 13:41:47 +02:00
Erik Arvstedt
731cf647ff
modules: remove unneeded use of options module arg
Needed by the following commit.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
a2466b1127
secrets: allow extending generate-secrets
`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.
2021-09-12 11:29:54 +02:00
Erik Arvstedt
82a2b148d8
secrets: minor fixes
- Improve comment.
- `secretsSetupMethod` is not internal because it can be set to "manual"
  by the user.
2021-09-11 15:07:24 +02:00
Erik Arvstedt
2c8e29b35b
lnd: extract option certPath
Improves service encapsulation.
2021-09-11 15:07:24 +02:00
Erik Arvstedt
be12a49933
lightning-pool/loop: extract lnd variable 2021-09-11 15:07:24 +02:00
Erik Arvstedt
5087ce245f
minor cleanups
- btcpayserver: remove unneeded trailing semicolons

- krops/get-sha256:
  `tail` is unneeded because `nix-prefetch-url` just outputs a single
  line containing the hash.
2021-09-11 15:07:23 +02:00
Erik Arvstedt
0d2db4e79f
backups: add option postgresqlDatabases
This simplifies defining postgresql backups.
This change is covered by tests.py.
2021-09-11 15:07:23 +02:00
Erik Arvstedt
9730be9282
joinmarket-yieldgenerator: simplify start script 2021-08-30 13:37:05 +02:00