Skip to content

Commit

Permalink
Merge #152: Rename nix-bitcoin.nix to presets/secure-node.nix
Browse files Browse the repository at this point in the history
bceaa36 operator: allow reading systemd journal (Erik Arvstedt)
145961c fix operator authorized keys setup (Erik Arvstedt)
37b2faf move systemPackages definitions to services (Erik Arvstedt)
6c22e13 copy-root-authorized-keys: use inline script definition (Erik Arvstedt)
63c6fe3 fixup! use '' for multi-line string (Erik Arvstedt)
ab61794 extract variable 'cfg' (Erik Arvstedt)
36c84d8 add option clightning.onionport (Erik Arvstedt)
681dbaf move electrs.onionport option (Erik Arvstedt)
74fbfa3 use lib.optionals (Erik Arvstedt)
ec6d33f rearrange code sections (Erik Arvstedt)
e16ddc9 extract 'mkHiddenService' (Erik Arvstedt)
89d3d58 use mkIf (Erik Arvstedt)
85e52a0 improve grouping of suboptions (Erik Arvstedt)
1a63f0c remove option 'services.nix-bitcoin.enable' (Erik Arvstedt)
0f8b2e9 add nix-bitcoin.nix for backwards compatibility (Erik Arvstedt)
28792f7 rename nix-bitcoin.nix -> presets/secure-node.nix (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK bceaa36

Tree-SHA512: d9c691d862c73f47399c97a50d9fa70ca934f82e8d9664bedacd5cc013fea040ec0431981aba78ade7f607d30809a5bab68effd627904e2cfa990e9d2612bf11
  • Loading branch information
jonasnick committed Apr 12, 2020
2 parents d7d7070 + bceaa36 commit 1131c79
Show file tree
Hide file tree
Showing 14 changed files with 189 additions and 203 deletions.
9 changes: 3 additions & 6 deletions examples/configuration.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

{ config, pkgs, lib, ... }: {
imports = [
<nix-bitcoin/modules/nix-bitcoin.nix>
<nix-bitcoin/modules/presets/secure-node.nix>

# FIXME: The hardened kernel profile improves security but
# decreases performance by ~50%.
Expand All @@ -18,15 +18,12 @@
#./hardware-configuration.nix
];
# FIXME: Enable modules by uncommenting their respective line. Disable
# modules by commenting out their respective line. Enable this module to
# use the nix-bitcoin node configuration. Only disable this if you know what
# you are doing.
services.nix-bitcoin.enable = true;
# modules by commenting out their respective line.

### BITCOIND
# Bitcoind is enabled by default if nix-bitcoin is enabled
#
# You can override default settings from nix-bitcoin.nix as follows
# You can override default settings from secure-node.nix as follows
# services.bitcoind.prune = lib.mkForce 100000;
#
# You can add options that are not defined in modules/bitcoind.nix as follows
Expand Down
2 changes: 1 addition & 1 deletion modules/bitcoind.nix
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
systemd.services.bitcoind = {
description = "Bitcoin daemon";
requires = [ "nix-bitcoin-secrets.target" ];
Expand Down
1 change: 1 addition & 0 deletions modules/clightning.nix
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nix-bitcoin.clightning (hiPrio cfg.cli) ];
users.users.clightning = {
description = "clightning User";
group = "clightning";
Expand Down
2 changes: 1 addition & 1 deletion modules/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
lightning-charge = ./lightning-charge.nix;
liquid = ./liquid.nix;
nanopos = ./nanopos.nix;
nix-bitcoin = ./nix-bitcoin.nix;
presets.secure-node = ./presets/secure-node.nix;
nix-bitcoin-webindex = ./nix-bitcoin-webindex.nix;
spark-wallet = ./spark-wallet.nix;
recurring-donations = ./recurring-donations.nix;
Expand Down
7 changes: 2 additions & 5 deletions modules/electrs.nix
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,6 @@ in {
default = 50001;
description = "RPC port.";
};
onionport = mkOption {
type = types.ints.u16;
default = 50002;
description = "Port on which to listen for tor client connections.";
};
extraArgs = mkOption {
type = types.separatedString " ";
default = "";
Expand All @@ -66,6 +61,8 @@ in {
};

config = mkIf cfg.enable (mkMerge [{
environment.systemPackages = [ pkgs.nix-bitcoin.electrs ];

systemd.services.electrs = {
description = "Electrs Electrum Server";
wantedBy = [ "multi-user.target" ];
Expand Down
12 changes: 9 additions & 3 deletions modules/hardware-wallets.nix
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,16 @@ in {
};

config = mkMerge [
{
# Create group
(mkIf (cfg.ledger || cfg.trezor) {
environment.systemPackages = with pkgs; [
nix-bitcoin.hwi
# Provides lsusb for debugging
usbutils
];
users.groups."${cfg.group}" = {};
}
})
(mkIf cfg.ledger {

# Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
# Don't use rules from nixpkgs because we want to use our own group.
services.udev.packages = lib.singleton (pkgs.writeTextFile {
Expand All @@ -48,6 +53,7 @@ in {
});
})
(mkIf cfg.trezor {
environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
# Don't use rules from nixpkgs because we want to use our own group.
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "trezord-udev-rules";
Expand Down
1 change: 1 addition & 0 deletions modules/lightning-charge.nix
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nix-bitcoin.lightning-charge ];
systemd.services.lightning-charge = {
description = "Run lightning-charge";
wantedBy = [ "multi-user.target" ];
Expand Down
6 changes: 5 additions & 1 deletion modules/liquid.nix
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,11 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nix-bitcoin.elementsd ];
environment.systemPackages = [
pkgs.nix-bitcoin.elementsd
(hiPrio cfg.cli)
(hiPrio cfg.swap-cli)
];
systemd.services.liquidd = {
description = "Elements daemon providing access to the Liquid sidechain";
requires = [ "bitcoind.service" ];
Expand Down
2 changes: 1 addition & 1 deletion modules/lnd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
systemd.services.lnd = {
description = "Run LND";
path = [ pkgs.nix-bitcoin.bitcoind ];
Expand Down
2 changes: 1 addition & 1 deletion modules/nanopos.nix
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ in {
};

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nix-bitcoin.nanopos ];
systemd.services.nanopos = {
description = "Run nanopos";
wantedBy = [ "multi-user.target" ];
Expand All @@ -60,7 +61,6 @@ in {
serviceConfig = {
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";

User = "nanopos";
Restart = "on-failure";
RestartSec = "10s";
Expand Down
190 changes: 8 additions & 182 deletions modules/nix-bitcoin.nix
Original file line number Diff line number Diff line change
@@ -1,183 +1,9 @@
{ config, lib, pkgs, ... }:

with lib;

let
cfg = config.services.nix-bitcoin;
operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''
mkdir -p ${config.users.users.operator.home}/.ssh
if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
fi
if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
fi
chown -R operator ${config.users.users.operator.home}/.ssh
'';
in {
imports = [ ./modules.nix ];

options.services.nix-bitcoin = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the nix-bitcoin service will be installed.
'';
};
};

config = mkIf cfg.enable {
nix-bitcoin.secretsDir = mkDefault "/secrets";

networking.firewall.enable = true;

# Tor
services.tor.enable = true;
services.tor.client.enable = true;
# LND uses ControlPort to create onion services
services.tor.controlPort = if config.services.lnd.enable then 9051 else null;

# Tor SSH service
services.tor.hiddenServices.sshd = {
map = [{
port = 22;
}];
version = 3;
};

# bitcoind
services.bitcoind.enable = true;
services.bitcoind.listen = true;
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.enforceTor = true;
services.bitcoind.port = 8333;
services.bitcoind.zmqpubrawblock = "tcp://127.0.0.1:28332";
services.bitcoind.zmqpubrawtx = "tcp://127.0.0.1:28333";
services.bitcoind.assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
services.bitcoind.addnodes = [ "ecoc5q34tmbq54wl.onion" ];
services.bitcoind.discover = false;
services.bitcoind.addresstype = "bech32";
services.bitcoind.prune = 0;
services.bitcoind.dbCache = 1000;
services.tor.hiddenServices.bitcoind = {
map = [{
port = config.services.bitcoind.port;
}];
version = 3;
};

# clightning
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.proxy = config.services.tor.client.socksListenAddress;
services.clightning.enforceTor = true;
services.clightning.always-use-proxy = true;
services.clightning.bind-addr = "127.0.0.1:9735";
services.tor.hiddenServices.clightning = {
map = [{
port = 9735; toPort = 9735;
}];
version = 3;
};

# lnd
services.lnd.enforceTor = true;

# Create user operator which can use bitcoin-cli and lightning-cli
users.users.operator = {
isNormalUser = true;
extraGroups = [ config.services.bitcoind.group ]
++ (if config.services.clightning.enable then [ "clightning" ] else [ ])
++ (if config.services.lnd.enable then [ "lnd" ] else [ ])
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])
++ (if (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
then [ config.services.hardware-wallets.group ] else [ ]);
};
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
security.sudo.configFile =
(optionalString config.services.clightning.enable ''
operator ALL=(clightning) NOPASSWD: ALL
'') +
(optionalString config.services.lnd.enable ''
operator ALL=(lnd) NOPASSWD: ALL
'');

# Give root ssh access to the operator account
systemd.services.copy-root-authorized-keys = {
description = "Copy root authorized keys";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
user = "root";
type = "oneshot";
};
};

services.nix-bitcoin-webindex.enforceTor = true;

services.liquidd.rpcuser = "liquidrpc";
services.liquidd.prune = 1000;
services.liquidd.extraConfig = "
mainchainrpcuser=${config.services.bitcoind.rpcuser}
mainchainrpcport=8332
";
services.liquidd.validatepegin = true;
services.liquidd.listen = true;
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
services.liquidd.enforceTor = true;
services.liquidd.port = 7042;
services.tor.hiddenServices.liquidd = {
map = [{
port = config.services.liquidd.port; toPort = config.services.liquidd.port;
}];
version = 3;
};

services.spark-wallet.onion-service = true;
services.electrs.port = 50001;
services.electrs.enforceTor = true;
services.electrs.onionport = 50002;
services.electrs.TLSProxy.enable = true;
services.electrs.TLSProxy.port = 50003;
services.tor.hiddenServices.electrs = {
map = [{
port = config.services.electrs.onionport; toPort = config.services.electrs.TLSProxy.port;
}];
version = 3;
};
environment.systemPackages = with pkgs; with nix-bitcoin; let
s = config.services;
in
[
tor
bitcoind
(hiPrio s.bitcoind.cli)
nodeinfo
jq
qrencode
]
++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
++ optionals s.lightning-charge.enable [lightning-charge]
++ optionals s.nanopos.enable [nanopos]
++ optionals s.nix-bitcoin-webindex.enable [nginx]
++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
++ optionals s.spark-wallet.enable [spark-wallet]
++ optionals s.electrs.enable [electrs]
++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
hwi
# To allow debugging issues with lsusb
usbutils
]
++ optionals s.hardware-wallets.trezor [
python3.pkgs.trezor
];
};
# This file exists only for backwards compatibility

{ lib, ... }:
{
imports = [
./presets/secure-node.nix
(lib.mkRemovedOptionModule [ "services" "nix-bitcoin" "enable" ] "Please directly import ./presets/secure-node.nix")
]
}
Loading

0 comments on commit 1131c79

Please sign in to comment.