This also enables the test scenario 'netnsRegtest' introduced in a
later commit by fixing the following bug:
For unknown reasons, when tor.active=true and tor is not running, lnd
fails with a tor connection error on netns-isolation, but runs fine
without netns-isolation.
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
db48ab9b69 services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b69
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
Each secret file to be deployed is now backed by one local file.
This simplifies 'setup-secrets' and the secret definitions.
Also, with the old format it was not possible to add new secrets
to secrets.nix in a simple way.
Old secrets are automatically converted to the new format when running
nix-shell.
Using the new option 'nix-bitcoin.secrets', secrets are now directly
defined by the services that use them.
- set -e is implicit
- coreutils are in PATH and don't have to be explicitly referenced (echo is a shell builtin anyways)
- exit 0 is unneeded ('if' statements never fail)
Not polluting the main pkgs namespace with internal pkgs makes it
easier to integrate the nix-bitcoin modules into a larger config.
Also, by overriding the nix-bitcoin namespace, users can now easily set the
packages used by services that offer no explicit `package` option, like `clightning`.