Merge #152: Rename nix-bitcoin.nix to presets/secure-node.nix

bceaa36 operator: allow reading systemd journal (Erik Arvstedt)
145961c fix operator authorized keys setup (Erik Arvstedt)
37b2faf move systemPackages definitions to services (Erik Arvstedt)
6c22e13 copy-root-authorized-keys: use inline script definition (Erik Arvstedt)
63c6fe3 fixup! use '' for multi-line string (Erik Arvstedt)
ab61794 extract variable 'cfg' (Erik Arvstedt)
36c84d8 add option clightning.onionport (Erik Arvstedt)
681dbaf move electrs.onionport option (Erik Arvstedt)
74fbfa3 use lib.optionals (Erik Arvstedt)
ec6d33f rearrange code sections (Erik Arvstedt)
e16ddc9 extract 'mkHiddenService' (Erik Arvstedt)
89d3d58 use mkIf (Erik Arvstedt)
85e52a0 improve grouping of suboptions (Erik Arvstedt)
1a63f0c remove option 'services.nix-bitcoin.enable' (Erik Arvstedt)
0f8b2e9 add nix-bitcoin.nix for backwards compatibility (Erik Arvstedt)
28792f7 rename nix-bitcoin.nix -> presets/secure-node.nix (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK bceaa36

Tree-SHA512: d9c691d862c73f47399c97a50d9fa70ca934f82e8d9664bedacd5cc013fea040ec0431981aba78ade7f607d30809a5bab68effd627904e2cfa990e9d2612bf11

examples/configuration.nix

@@ -4,7 +4,7 @@
 
 { config, pkgs, lib, ... }: {
   imports = [
-    <nix-bitcoin/modules/nix-bitcoin.nix>
+    <nix-bitcoin/modules/presets/secure-node.nix>
 
     # FIXME: The hardened kernel profile improves security but
     # decreases performance by ~50%.
@@ -18,15 +18,12 @@
     #./hardware-configuration.nix
   ];
   # FIXME: Enable modules by uncommenting their respective line. Disable
-  # modules by commenting out their respective line.  Enable this module to
-  # use the nix-bitcoin node configuration. Only disable this if you know what
-  # you are doing.
-  services.nix-bitcoin.enable = true;
+  # modules by commenting out their respective line.
 
   ### BITCOIND
   # Bitcoind is enabled by default if nix-bitcoin is enabled
   #
-  # You can override default settings from nix-bitcoin.nix as follows
+  # You can override default settings from secure-node.nix as follows
   # services.bitcoind.prune = lib.mkForce 100000;
   #
   # You can add options that are not defined in modules/bitcoind.nix as follows

modules/bitcoind.nix

@@ -256,7 +256,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
+    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
     systemd.services.bitcoind = {
       description = "Bitcoin daemon";
       requires = [ "nix-bitcoin-secrets.target" ];

modules/clightning.nix

@@ -71,6 +71,7 @@ in {
   };
 
   config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.nix-bitcoin.clightning (hiPrio cfg.cli) ];
     users.users.clightning = {
         description = "clightning User";
         group = "clightning";

modules/default.nix

@@ -7,7 +7,7 @@
   lightning-charge = ./lightning-charge.nix;
   liquid = ./liquid.nix;
   nanopos = ./nanopos.nix;
-  nix-bitcoin = ./nix-bitcoin.nix;
+  presets.secure-node = ./presets/secure-node.nix;
   nix-bitcoin-webindex = ./nix-bitcoin-webindex.nix;
   spark-wallet = ./spark-wallet.nix;
   recurring-donations = ./recurring-donations.nix;

modules/electrs.nix

@@ -44,11 +44,6 @@ in {
       default = 50001;
       description = "RPC port.";
     };
-    onionport = mkOption {
-      type = types.ints.u16;
-      default = 50002;
-      description = "Port on which to listen for tor client connections.";
-    };
     extraArgs = mkOption {
       type = types.separatedString " ";
       default = "";
@@ -66,6 +61,8 @@ in {
   };
 
   config = mkIf cfg.enable (mkMerge [{
+    environment.systemPackages = [ pkgs.nix-bitcoin.electrs ];
+
     systemd.services.electrs = {
       description = "Electrs Electrum Server";
       wantedBy = [ "multi-user.target" ];

modules/hardware-wallets.nix

@@ -32,11 +32,16 @@ in {
   };
 
   config = mkMerge [
-    {
-      # Create group
+    (mkIf (cfg.ledger || cfg.trezor) {
+      environment.systemPackages = with pkgs; [
+        nix-bitcoin.hwi
+        # Provides lsusb for debugging
+        usbutils
+      ];
       users.groups."${cfg.group}" = {};
-    }
+    })
     (mkIf cfg.ledger {
+
       # Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
       # Don't use rules from nixpkgs because we want to use our own group.
       services.udev.packages = lib.singleton (pkgs.writeTextFile {
@@ -48,6 +53,7 @@ in {
       });
     })
     (mkIf cfg.trezor {
+      environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
       # Don't use rules from nixpkgs because we want to use our own group.
       services.udev.packages = lib.singleton (pkgs.writeTextFile {
         name = "trezord-udev-rules";

modules/lightning-charge.nix

@@ -24,6 +24,7 @@ in {
   };
 
   config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.nix-bitcoin.lightning-charge ];
     systemd.services.lightning-charge = {
       description = "Run lightning-charge";
       wantedBy = [ "multi-user.target" ];

modules/liquid.nix

@@ -195,7 +195,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.nix-bitcoin.elementsd ];
+    environment.systemPackages = [
+      pkgs.nix-bitcoin.elementsd
+      (hiPrio cfg.cli)
+      (hiPrio cfg.swap-cli)
+    ];
     systemd.services.liquidd = {
       description = "Elements daemon providing access to the Liquid sidechain";
       requires = [ "bitcoind.service" ];

modules/lnd.nix

@@ -77,7 +77,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
+    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
     systemd.services.lnd = {
       description = "Run LND";
       path  = [ pkgs.nix-bitcoin.bitcoind ];

modules/nanopos.nix

@@ -52,6 +52,7 @@ in {
   };
 
   config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.nix-bitcoin.nanopos ];
     systemd.services.nanopos = {
       description = "Run nanopos";
       wantedBy = [ "multi-user.target" ];
@@ -60,7 +61,6 @@ in {
       serviceConfig = {
         EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
         ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
-
         User = "nanopos";
         Restart = "on-failure";
         RestartSec = "10s";

modules/nix-bitcoin.nix

@@ -1,183 +1,9 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.nix-bitcoin;
-  operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" '' 
-    mkdir -p ${config.users.users.operator.home}/.ssh
-    if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
-      cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
-    fi
-    if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
-      cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
-    fi
-    chown -R operator ${config.users.users.operator.home}/.ssh
-  '';
-in {
-  imports = [ ./modules.nix ];
-
-  options.services.nix-bitcoin = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        If enabled, the nix-bitcoin service will be installed.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    nix-bitcoin.secretsDir = mkDefault "/secrets";
-
-    networking.firewall.enable = true;
-
-    # Tor
-    services.tor.enable = true;
-    services.tor.client.enable = true;
-    # LND uses ControlPort to create onion services
-    services.tor.controlPort = if config.services.lnd.enable then 9051 else null;
-
-    # Tor SSH service
-    services.tor.hiddenServices.sshd = {
-      map = [{
-        port = 22;
-      }];
-      version = 3;
-    };
-
-    # bitcoind
-    services.bitcoind.enable = true;
-    services.bitcoind.listen = true;
-    services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
-    services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
-    services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
-    services.bitcoind.enforceTor = true;
-    services.bitcoind.port = 8333;
-    services.bitcoind.zmqpubrawblock = "tcp://127.0.0.1:28332";
-    services.bitcoind.zmqpubrawtx = "tcp://127.0.0.1:28333";
-    services.bitcoind.assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
-    services.bitcoind.addnodes = [ "ecoc5q34tmbq54wl.onion" ];
-    services.bitcoind.discover = false;
-    services.bitcoind.addresstype = "bech32";
-    services.bitcoind.prune = 0;
-    services.bitcoind.dbCache = 1000;
-    services.tor.hiddenServices.bitcoind = {
-      map = [{
-        port = config.services.bitcoind.port;
-      }];
-      version = 3;
-    };
-
-    # clightning
-    services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
-    services.clightning.proxy = config.services.tor.client.socksListenAddress;
-    services.clightning.enforceTor = true;
-    services.clightning.always-use-proxy = true;
-    services.clightning.bind-addr = "127.0.0.1:9735";
-    services.tor.hiddenServices.clightning = {
-      map = [{
-        port = 9735; toPort = 9735;
-      }];
-      version = 3;
-    };
-
-    # lnd
-    services.lnd.enforceTor = true;
-
-    # Create user operator which can use bitcoin-cli and lightning-cli
-    users.users.operator = {
-      isNormalUser = true;
-      extraGroups = [ config.services.bitcoind.group ]
-        ++ (if config.services.clightning.enable then [ "clightning" ] else [ ])
-        ++ (if config.services.lnd.enable then [ "lnd" ] else [ ])
-        ++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])
-        ++ (if (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
-          then [ config.services.hardware-wallets.group ] else [ ]);
-    };
-    # Give operator access to onion hostnames
-    services.onion-chef.enable = true;
-    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
-
-    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
-    # https://github.com/ElementsProject/lightning/issues/1366
-    security.sudo.configFile =
-     (optionalString config.services.clightning.enable ''
-       operator    ALL=(clightning) NOPASSWD: ALL
-     '') +
-     (optionalString config.services.lnd.enable ''
-       operator    ALL=(lnd) NOPASSWD: ALL
-     '');
-
-    # Give root ssh access to the operator account
-    systemd.services.copy-root-authorized-keys = {
-      description = "Copy root authorized keys";
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
-        user = "root";
-        type = "oneshot";
-      };
-    };
-
-    services.nix-bitcoin-webindex.enforceTor = true;
-
-    services.liquidd.rpcuser = "liquidrpc";
-    services.liquidd.prune = 1000;
-    services.liquidd.extraConfig = "
-      mainchainrpcuser=${config.services.bitcoind.rpcuser}
-      mainchainrpcport=8332
-    ";
-    services.liquidd.validatepegin = true;
-    services.liquidd.listen = true;
-    services.liquidd.proxy = config.services.tor.client.socksListenAddress;
-    services.liquidd.enforceTor = true;
-    services.liquidd.port = 7042;
-    services.tor.hiddenServices.liquidd = {
-      map = [{
-        port = config.services.liquidd.port; toPort = config.services.liquidd.port;
-      }];
-      version = 3;
-    };
-
-    services.spark-wallet.onion-service = true;
-    services.electrs.port = 50001;
-    services.electrs.enforceTor = true;
-    services.electrs.onionport = 50002;
-    services.electrs.TLSProxy.enable = true;
-    services.electrs.TLSProxy.port = 50003;
-    services.tor.hiddenServices.electrs = {
-      map = [{
-        port = config.services.electrs.onionport; toPort = config.services.electrs.TLSProxy.port;
-      }];
-      version = 3;
-    };
-    environment.systemPackages = with pkgs; with nix-bitcoin; let
-      s = config.services;
-    in
-    [
-      tor
-      bitcoind
-      (hiPrio s.bitcoind.cli)
-      nodeinfo
-      jq
-      qrencode
-    ]
-    ++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
-    ++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
-    ++ optionals s.lightning-charge.enable [lightning-charge]
-    ++ optionals s.nanopos.enable [nanopos]
-    ++ optionals s.nix-bitcoin-webindex.enable [nginx]
-    ++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
-    ++ optionals s.spark-wallet.enable [spark-wallet]
-    ++ optionals s.electrs.enable [electrs]
-    ++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
-        hwi
-        # To allow debugging issues with lsusb
-        usbutils
-    ]
-    ++ optionals s.hardware-wallets.trezor [
-        python3.pkgs.trezor
-    ];
-  };
+# This file exists only for backwards compatibility
+
+{ lib, ... }:
+{
+   imports = [
+     ./presets/secure-node.nix
+     (lib.mkRemovedOptionModule [ "services" "nix-bitcoin" "enable" ] "Please directly import ./presets/secure-node.nix")
+   ]
 }