Merge #293: Module refactorings, onionServices

e2922eb move rpc thread count setting to lightning modules (Erik Arvstedt) 352fc4e liquid: remove insecure and redundant option 'rpcpassword' (Erik Arvstedt) 757a66b liquid: move rpcuser definition to module (Erik Arvstedt) 0e00c39 secure-node: improve layout (Erik Arvstedt) 5f7a796 backups: remove redundant option 'program' (Erik Arvstedt) 04d8560 secure-node: remove qrencode, tor from systemPackages (Erik Arvstedt) 323a431 improve nodeinfo (Erik Arvstedt) f6b883a remove webindex (Erik Arvstedt) 2a240d6 enable-tor: disable default onion services for clightning, lnd, btcpayserver (Erik Arvstedt) 18c7842 modules: show warnings for obsolete options (Erik Arvstedt) 45c40c4 versioning: simplify assertion evaluation (Erik Arvstedt) bed00fe lnd: use onionServices for address announcing (Erik Arvstedt) 3980cd5 clightning: use onionServices for address announcing (Erik Arvstedt) bd2a46c spark-wallet: use onionServices (Erik Arvstedt) 87fb9f2 add 'enable-tor' preset (Erik Arvstedt) 05b5402 add nix-bitcoin.onionServices (Erik Arvstedt) fffe988 onionAddresses: add readonly option 'dataDir' (Erik Arvstedt) 5f34b09 onionAddresses: improve script (Erik Arvstedt) b266f23 onionAddresses: use service 'script' option (Erik Arvstedt) 6d13b26 onionAddresses: add more precise type for option 'access' (Erik Arvstedt) 93562f7 onionAddresses: remove redundant option 'enable' (Erik Arvstedt) 43c247e onionAddresses: use StateDirectory instead of tmpfiles (Erik Arvstedt) 5c6977b rename onion-chef -> nix-bitcoin.onionAddresses (Erik Arvstedt) 55073ee remove nix-bitcoin.pkgs.lib (Erik Arvstedt) 09e0042 spark-wallet: add consistent address options (Erik Arvstedt) 39f16c0 liquidd: add consistent address options (Erik Arvstedt) b5d76ba electrs: add consistent address options (Erik Arvstedt) 8fa32b7 btcpayserver: add consistent address options (Erik Arvstedt) e78a609 clightning: add consistent address options (Erik Arvstedt) b41a720 lnd: add consistent address options (Erik Arvstedt) dd4a023 bitcoind: group rpc options under parent option 'rpc' (Erik Arvstedt) 5b7e0d0 bitcoind: add consistent address options (Erik Arvstedt) Pull request description: ACKs for top commit: nixbitcoin: ACK e2922eb jonasnick: ACK e2922eb Tree-SHA512: a85b33efe66048f06699b3997f83c9427f70f278fa66d30ee9a29c91f50723ff8bd1ffb9d968d7f08818742c8c6afb0b40dbfc14b95a4b8c3302caf9bede4198
fort-nix · Jan 14, 2021 · c6c1488 · c6c1488
2 parents 41a6be6 + e2922eb
commit c6c1488
Show file tree

Hide file tree

Showing 30 changed files with 667 additions and 633 deletions.
diff --git a/README.md b/README.md
@@ -48,8 +48,7 @@ See the [examples directory](examples/README.md).
 Features
 ---
 A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node
-* All applications use Tor for outbound connections and accept inbound connections via onion services.
-* Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node.
+* All applications use Tor for outbound connections and support accepting inbound connections via onion services.
 
 NixOS modules
 * Application services
@@ -74,9 +73,9 @@ NixOS modules
   * [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
 * Helper
   * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
+  * [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
   * [backups](modules/backups.nix): daily duplicity backups of all your node's important files
   * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
-  * [nix-bitcoin webindex](modules/nix-bitcoin-webindex.nix): a local website to display node information
 
 Security
 ---

diff --git a/docs/usage.md b/docs/usage.md
@@ -8,7 +8,7 @@ fetch-release > nix-bitcoin-release.nix
 
 Nodeinfo
 ---
-Run `nodeinfo` to see your onion addresses for the webindex, spark, etc. if they are enabled.
+Run `nodeinfo` to see onion addresses and local addresses for enabled services.
 
 Connect to spark-wallet
 ---
@@ -86,10 +86,10 @@ Connect to electrs
     nixops deploy -d bitcoin-node
     ```
 
-3. Get electrs onion address
+3. Get electrs onion address with format `<onion-address>:<port>`
 
     ```
-    nodeinfo | grep 'ELECTRS_ONION'
+    nodeinfo | jq -r .electrs.onion_address
     ```
 
 4. Connect to electrs
@@ -98,7 +98,7 @@ Connect to electrs
 
     On Desktop
     ```
-    electrum --oneserver -1 -s "<ELECTRS_ONION>:50001:t" -p socks5:localhost:9050
+    electrum --oneserver -1 -s "<electrs onion address>:t" -p socks5:localhost:9050
     ```
 
     On Android
@@ -107,16 +107,16 @@ Connect to electrs
     Network > Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
     Network > Auto-connect: OFF
     Network > One-server mode: ON
-    Network > Server: <ELECTRS_ONION>:50001:t
+    Network > Server: <electrs onion address>:t
     ```
 
-Connect to nix-bitcoin node through ssh Tor Hidden Service
+Connect to nix-bitcoin node through the SSH onion service
 ---
-1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION`
+1. Get the SSH onion address (excluding the port suffix)
 
     ```
     nixops ssh operator@bitcoin-node
-    nodeinfo | grep 'SSHD_ONION'
+    nodeinfo | jq -r .sshd.onion_address | sed 's/:.*//'
     ```
 
 2. Create a SSH key
@@ -131,14 +131,14 @@ Connect to nix-bitcoin node through ssh Tor Hidden Service
     # FIXME: Add your SSH pubkey
     services.openssh.enable = true;
     users.users.root = {
-      openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ];
+      openssh.authorizedKeys.keys = [ "<contents of ~/.ssh/id_ed25519.pub>" ];
     };
     ```
 
-4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server
+4. Connect to your nix-bitcoin node's SSH onion service, forwarding a local port to the nix-bitcoin node's SSH server
 
     ```
-    ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION]
+    ssh -i ~/.ssh/id_ed25519 -L <random port of your choosing>:localhost:22 root@<SSH onion address>
     ```
 
 5. Edit your `network-nixos.nix` to look like this
@@ -148,12 +148,12 @@ Connect to nix-bitcoin node through ssh Tor Hidden Service
       bitcoin-node =
         { config, pkgs, ... }:
         { deployment.targetHost = "127.0.0.1";
-        deployment.targetPort = [random port of your choosing];
+        deployment.targetPort = <random port of your choosing>;
         };
     }
     ```
 
-6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security.
+6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the SSH tunnel you established in step iv. This also allows you to do more complex SSH setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's SSH agent](https://github.com/romanz/trezor-agent), which provides extra security.
 
 Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface
 ---
@@ -263,7 +263,7 @@ you. If however, you want to manually initialize your wallet, follow these steps
 ## Run the tumbler
 
 The tumbler needs to be able to run in the background for a long time, use screen
-to run it accross ssh sessions. You can also use tmux in the same fashion.
+to run it accross SSH sessions. You can also use tmux in the same fashion.
 
 1. Add screen to your `environment.systemPackages`, for example
 

diff --git a/examples/README.md b/examples/README.md
@@ -11,7 +11,7 @@ nix-shell
 
 The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then
 shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\
-By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning` (with an onion service).
+By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`.
 
 - [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
   This is the fastest way to set up a node.\

diff --git a/examples/configuration.nix b/examples/configuration.nix
@@ -37,25 +37,28 @@
   # Enable this module to use clightning, a Lightning Network implementation
   # in C.
   services.clightning.enable = true;
-  # == TOR
-  # Enable this option to announce our Tor Hidden Service. By default clightning
-  # offers outgoing functionality, but doesn't announce the Tor Hidden Service
-  # under which peers can reach us.
-  # services.clightning.announce-tor = true;
+  #
+  # Set this to create an onion service by which clightning can accept incoming connections
+  # via Tor.
+  # The onion service is automatically announced to peers.
+  # nix-bitcoin.onionServices.clightning.public = true;
+  #
   # == Plugins
   # See ../docs/usage.md for the list of available plugins.
   # services.clightning.plugins.prometheus.enable = true;
 
   ### LND
   # Uncomment the following line in order to enable lnd, a lightning
   # implementation written in Go. In order to avoid collisions with clightning
-  # you must disable clightning or change the services.clightning.bindport or
-  # services.lnd.listenPort to a port other than 9735.
+  # you must disable clightning or change the services.clightning.port or
+  # services.lnd.port to a port other than 9735.
   # services.lnd.enable = true;
-  # Enable this option to announce our Tor Hidden Service. By default lnd
-  # offers outgoing functionality, but doesn't announce the Tor Hidden Service
-  # under which peers can reach us.
-  # services.lnd.announce-tor = true;
+  #
+  # Set this to create an onion service by which lnd can accept incoming connections
+  # via Tor.
+  # The onion service is automatically announced to peers.
+  # nix-bitcoin.onionServices.lnd.public = true;
+  #
   ## WARNING
   # If you use lnd, you should manually backup your wallet mnemonic
   # seed. This will allow you to recover on-chain funds. You can run the
@@ -93,6 +96,12 @@
   # The lightning backend service automatically enabled.
   # Afterwards you need to go into Store > General Settings > Lightning Nodes
   # and click to use "the internal lightning node of this BTCPay Server".
+  #
+  # Set this to create an onion service to make the btcpayserver web interface
+  # accessible via Tor.
+  # Security WARNING: Create a btcpayserver administrator account before allowing
+  # public access to the web interface.
+  # nix-bitcoin.onionServices.btcpayserver.enable = true;
 
   ### LIQUIDD
   # Enable this module to use Liquid, a sidechain for an inter-exchange
@@ -101,11 +110,6 @@
   # tool run as user operator.
   # services.liquidd.enable = true;
 
-  ### WEBINDEX
-  # Enable this module to use the nix-bitcoin-webindex, a simple website
-  # displaying your node information. Only available if clightning is enabled.
-  # services.nix-bitcoin-webindex.enable = true;
-
   ### RECURRING-DONATIONS
   # Enable this module to send recurring donations. This is EXPERIMENTAL; it's
   # not guaranteed that payments are succeeding or that you will notice payment
@@ -203,5 +207,5 @@
   # The nix-bitcoin release version that your config is compatible with.
   # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
   # an error and provide hints for migrating your config to the new release.
-  nix-bitcoin.configVersion = "0.0.26";
+  nix-bitcoin.configVersion = "0.0.30";
 }
diff --git a/modules/backups.nix b/modules/backups.nix
@@ -31,13 +31,6 @@ let
 in {
   options.services.backups = {
     enable = mkEnableOption "Backups service";
-    program = mkOption {
-      type = types.enum [ "duplicity" ];
-      default = "duplicity";
-      description = ''
-        Program with which to do backups.
-      '';
-    };
     with-bulk-data = mkOption {
       type = types.bool;
       default = false;
@@ -69,7 +62,7 @@ in {
     };
   };
 
-  config = mkIf (cfg.enable && cfg.program == "duplicity") (mkMerge [
+  config = mkIf cfg.enable (mkMerge [
     {
       environment.systemPackages = [ pkgs.duplicity ];
 

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
@@ -22,26 +22,26 @@ let
     ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
 
     # Connection options
-    ${optionalString cfg.listen "bind=${cfg.bind}"}
-    ${optionalString (cfg.port != null) "port=${toString cfg.port}"}
+    ${optionalString cfg.listen "bind=${cfg.address}"}
+    port=${toString cfg.port}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     listen=${if cfg.listen then "1" else "0"}
     ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
     ${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
 
     # RPC server options
-    ${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"}
+    rpcbind=${cfg.rpc.address}
     rpcport=${toString cfg.rpc.port}
+    rpcconnect=${cfg.rpc.address}
+    ${optionalString (cfg.rpc.threads != null) "rpcthreads=${toString cfg.rpc.threads}"}
     rpcwhitelistdefault=0
     ${concatMapStrings (user: ''
         ${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"}
         ${optionalString (user.rpcwhitelist != [])
           "rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"}
       '') (builtins.attrValues cfg.rpc.users)
     }
-    rpcbind=${cfg.rpcbind}
-    rpcconnect=${cfg.rpcbind}
-    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
+    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpc.allowip}
 
     # Wallet options
     ${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
@@ -57,6 +57,16 @@ in {
   options = {
     services.bitcoind = {
       enable = mkEnableOption "Bitcoin daemon";
+      address = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = "Address to listen for peer connections.";
+      };
+      port = mkOption {
+        type = types.port;
+        default = 8333;
+        description = "Port to listen for peer connections.";
+      };
       package = mkOption {
         type = types.package;
         default = config.nix-bitcoin.pkgs.bitcoind;
@@ -77,13 +87,6 @@ in {
         default = "/var/lib/bitcoind";
         description = "The data directory for bitcoind.";
       };
-      bind = mkOption {
-        type = types.str;
-        default = "127.0.0.1";
-        description = ''
-          Bind to given address and always listen on it.
-        '';
-      };
       user = mkOption {
         type = types.str;
         default = "bitcoin";
@@ -95,10 +98,29 @@ in {
         description = "The group as which to run bitcoind.";
       };
       rpc = {
+        address = mkOption {
+          type = types.str;
+          default = "127.0.0.1";
+          description = ''
+            Address to listen for JSON-RPC connections.
+          '';
+        };
         port = mkOption {
           type = types.port;
           default = 8332;
-          description = "Port on which to listen for JSON-RPC connections.";
+          description = "Port to listen for JSON-RPC connections.";
+        };
+        threads = mkOption {
+          type = types.nullOr types.ints.u16;
+          default = null;
+          description = "The number of threads to service RPC calls.";
+        };
+        allowip = mkOption {
+          type = types.listOf types.str;
+          default = [ "127.0.0.1" ];
+          description = ''
+            Allow JSON-RPC connections from specified sources.
+          '';
         };
         users = mkOption {
           default = {};
@@ -144,25 +166,6 @@ in {
           '';
         };
       };
-      rpcthreads = mkOption {
-        type = types.nullOr types.ints.u16;
-        default = null;
-        description = "Set the number of threads to service RPC calls";
-      };
-      rpcbind = mkOption {
-        type = types.str;
-        default = "127.0.0.1";
-        description = ''
-          Bind to given address to listen for JSON-RPC connections.
-        '';
-      };
-      rpcallowip = mkOption {
-        type = types.listOf types.str;
-        default = [ "127.0.0.1" ];
-        description = ''
-          Allow JSON-RPC connections from specified source.
-        '';
-      };
       regtest = mkOption {
         type = types.bool;
         default = false;
@@ -176,11 +179,6 @@ in {
         readOnly = true;
         default = mainnet: regtest: if cfg.regtest then regtest else mainnet;
       };
-      port = mkOption {
-        type = types.nullOr types.port;
-        default = null;
-        description = "Override the default port on which to listen for connections.";
-      };
       proxy = mkOption {
         type = types.nullOr types.str;
         default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;