From 37901f39373eed5a072882453e2d18898af2e8be Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 4 Oct 2024 17:53:32 +0100 Subject: [PATCH] working implementation of bitcoind --- flake.lock | 109 ++++++++++++++- flake.nix | 6 + hosts/common/optional/nix-bitcoin.nix | 156 ++++++++++++++++++++++ hosts/common/users/keys/laptop@id_rsa.pub | 1 - hosts/semita/default.nix | 6 + justfile | 1 + 6 files changed, 273 insertions(+), 6 deletions(-) create mode 100644 hosts/common/optional/nix-bitcoin.nix delete mode 100644 hosts/common/users/keys/laptop@id_rsa.pub diff --git a/flake.lock b/flake.lock index f006187..9c6662d 100644 --- a/flake.lock +++ b/flake.lock @@ -80,6 +80,31 @@ "type": "github" } }, + "extra-container": { + "inputs": { + "flake-utils": [ + "nix-bitcoin", + "flake-utils" + ], + "nixpkgs": [ + "nix-bitcoin", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722175938, + "narHash": "sha256-HKyB4HD+NdX3T233bY31hm76v3/tdQBNeLLvopKbZeY=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "37e7207ac9f857eedb58b208b9dc91cd6b24e651", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "repo": "extra-container", + "type": "github" + } + }, "flake-compat": { "locked": { "lastModified": 1696426674, @@ -173,6 +198,24 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": "flake-compat_2", @@ -318,6 +361,30 @@ "type": "github" } }, + "nix-bitcoin": { + "inputs": { + "extra-container": "extra-container", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-unstable": "nixpkgs-unstable" + }, + "locked": { + "lastModified": 1727247704, + "narHash": "sha256-Jl1CYXNIdJ4Ac0MK15e8+vflFOgPxZZNw24CKfLC6QY=", + "owner": "fort-nix", + "repo": "nix-bitcoin", + "rev": "a0d36d59248ac54f1b42a668326346a77640c7f5", + "type": "github" + }, + "original": { + "owner": "fort-nix", + "ref": "nixos-24.05", + "repo": "nix-bitcoin", + "type": "github" + } + }, "nix-colors": { "inputs": { "base16-schemes": "base16-schemes", @@ -361,11 +428,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1726340825, - "narHash": "sha256-6gv36ea3aAjJH7osZVzVU0GRoJeVR+iwSP9bSaJC+MI=", + "lastModified": 1728041293, + "narHash": "sha256-ttKGrtU+naTxmlHf4M142MTM4rYc5WWhRzdY1wEO5gE=", "ref": "refs/heads/master", - "rev": "73d4d304a201f7db200ffb5955c8a2f521f635a7", - "revCount": 160, + "rev": "dc659e262931d48bc8499fbfee60d27e40cda9cd", + "revCount": 163, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -422,6 +489,22 @@ } }, "nixpkgs-unstable": { + "locked": { + "lastModified": 1726871744, + "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable_2": { "locked": { "lastModified": 1724819573, "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", @@ -502,10 +585,11 @@ "disko": "disko", "home-manager": "home-manager", "impermanence": "impermanence", + "nix-bitcoin": "nix-bitcoin", "nix-colors": "nix-colors", "nix-secrets": "nix-secrets", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs-unstable": "nixpkgs-unstable_2", "nixvim": "nixvim", "nur": "nur", "sops-nix": "sops-nix" @@ -532,6 +616,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 6f1b771..631427e 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,12 @@ url = "github:hercules-ci/arion/236f9dd82d6ef6a2d9987c7a7df3e75f1bc8b318"; }; + # nix-bitcoin + nix-bitcoin = { + url = "github:fort-nix/nix-bitcoin/nixos-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Nix colors nix-colors.url = "github:misterio77/nix-colors"; diff --git a/hosts/common/optional/nix-bitcoin.nix b/hosts/common/optional/nix-bitcoin.nix new file mode 100644 index 0000000..3ad0a23 --- /dev/null +++ b/hosts/common/optional/nix-bitcoin.nix @@ -0,0 +1,156 @@ +{ + inputs, + lib, + config, + pkgs, + ... +}: let + bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path; + bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; + bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; + bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; + pubKeys = lib.filesystem.listFilesRecursive ../users/keys; +in { + sops.secrets = { + "software/bitcoind/bitcoin-rpcpassword-privileged" = {}; + "software/bitcoind/bitcoin-rpcpassword-public" = {}; + "software/bitcoind/bitcoin-HMAC-privileged" = {}; + "software/bitcoind/bitcoin-HMAC-public" = {}; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "eth0"; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [80 443 22]; + networking.firewall.trustedInterfaces = ["ve-+" "ve-bitcoin-node"]; + + containers.bitcoin-node = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.21.1"; + localAddress = "10.0.21.2"; + nixpkgs = pkgs.path; + bindMounts = { + "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = { + hostPath = "${bitcoin-rpcpassword-privileged}"; + isReadOnly = false; + }; + "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = { + hostPath = "${bitcoin-rpcpassword-public}"; + isReadOnly = false; + }; + "/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = { + hostPath = "${bitcoin-HMAC-privileged}"; + isReadOnly = false; + }; + "/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = { + hostPath = "${bitcoin-HMAC-public}"; + isReadOnly = false; + }; + "/var/lib/nix-bitcoin" = { + hostPath = "/media/main-ssd/nix-bitcoin"; + isReadOnly = false; + }; + }; + + forwardPorts = [ + { + containerPort = 80; + hostPort = 8080; + protocol = "tcp"; + } + ]; + + config = { + pkgs, + lib, + ... + }: { + imports = [ + inputs.nix-bitcoin.nixosModules.default + ]; + environment.systemPackages = with pkgs; [ + vim + lsof + jq + ]; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + 22 + config.containers.bitcoin-node.config.services.bitcoind.rpc.port + config.containers.bitcoin-node.config.services.mempool.frontend.port + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + nix-bitcoin.generateSecrets = true; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + # node services here + services = { + tor = { + enable = true; + client.enable = true; + }; + bitcoind = { + tor.proxy = true; + tor.enforce = true; + enable = true; + dataDir = "/var/lib/nix-bitcoin/bitcoind"; + dbCache = 5000; + txindex = true; + rpc = { + address = "0.0.0.0"; + threads = 6; + allowip = ["10.0.0.0/8"]; + users = let + name = "bitcoin"; + in { + privileged.name = name; + public.name = name; + }; + }; + extraConfig = '' + onlynet=onion + bind=127.0.0.1 + ''; + }; + electrs = { + tor.enforce = true; + enable = true; + dataDir = "/var/lib/nix-bitcoin/electrs"; + }; + mempool = { + enable = true; + electrumServer = "electrs"; + frontend = { + port = 4080; + address = "0.0.0.0"; + }; + }; + }; + nix-bitcoin.onionServices = { + bitcoind.enable = true; + electrs.enable = true; + mempool-frontend.enable = true; + }; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/hosts/common/users/keys/laptop@id_rsa.pub b/hosts/common/users/keys/laptop@id_rsa.pub deleted file mode 100644 index 43c4bc0..0000000 --- a/hosts/common/users/keys/laptop@id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index 83d5cca..741fb40 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -47,8 +47,14 @@ in { ../common/optional/nfs-mounts/homeshare.nix ../common/optional/printing.nix ../common/optional/docker + ../common/optional/nix-bitcoin.nix ]; + fileSystems."/media/main-ssd" = { + device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59"; + fsType = "ext4"; + }; + boot = { blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest; diff --git a/justfile b/justfile index 658e4de..ee49ac5 100644 --- a/justfile +++ b/justfile @@ -23,6 +23,7 @@ update-flake: edit-sops: echo "Editing {{SOPS_FILE}}" nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}" + cd $(dirname {{SOPS_FILE}}) && git add . && git commit -m "autocommit" && git push # update keys in secrets.yaml and push to remote update-sops-secrets: