Update nixpkgs-unstable, fix whitelisting local services

README.md

@@ -101,6 +101,7 @@ Docs
 
 Troubleshooting
 ---
-If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.
-There's also a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).
+If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.\
+There's also a Matrix room at [#general:nixbitcoin.org](https://matrix.to/#/#general:nixbitcoin.org)
+and a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).\
 We are always happy to help.

examples/configuration.nix

@@ -24,7 +24,7 @@
   # modules by commenting out their respective line.
 
   ### BITCOIND
-  # Bitcoind is enabled by default.
+  # Bitcoind is enabled by default via secure-node.nix.
   #
   # Set this option to enable pruning with a specified MiB value.
   # clightning is compatible with pruning. See

flake.nix

@@ -6,7 +6,7 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
-    nixpkgsUnstable.url = "github:NixOS/nixpkgs/master";
+    nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
 

modules/bitcoind.nix

@@ -17,12 +17,35 @@ let
       };
       onionPort = mkOption {
         type = types.nullOr types.port;
-        default = null;
+        # When the bitcoind onion service is enabled, add an onion-tagged socket
+        # to distinguish local connections from Tor connections
+        default = if (config.nix-bitcoin.onionServices.bitcoind.enable or false) then 8334 else null;
         description = ''
           Port to listen for Tor peer connections.
           If set, inbound connections to this port are tagged as onion peers.
         '';
       };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 8335;
+        description = "See `listenWhitelisted`.";
+      };
       getPublicAddressCmd = mkOption {
         type = types.str;
         default = "";
@@ -145,11 +168,6 @@ let
           With `only-outgoing`, incoming i2p connections are disabled.
         '';
       };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Accept incoming connections.";
-      };
       dataDirReadableByGroup = mkOption {
         type = types.bool;
         default = false;
@@ -271,15 +289,17 @@ let
     ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
 
     # Connection options
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
     ${optionalString cfg.listen
       "bind=${cfg.address}:${toString cfg.port}"}
     ${optionalString (cfg.listen && cfg.onionPort != null)
       "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
     ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
 
-    listen=${if cfg.listen then "1" else "0"}
     ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
     ${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
 

modules/btcpayserver.nix

@@ -116,25 +116,20 @@ in {
           "getpeerinfo"
         ];
       };
-      # Enable p2p connections
-      listen = true;
-      extraConfig = ''
-        whitelist=download@${nbLib.address cfg.nbxplorer.address}
-      '';
+      listenWhitelisted = true;
     };
     services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
-    services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
-    services.liquidd = mkIf cfg.btcpayserver.lbtc {
+    services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
       enable = true;
-      # Enable p2p connections
-      listen = true;
+      macaroons.btcpayserver = {
+        inherit (cfg.btcpayserver) user;
+        permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
+      };
     };
-
-    services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
-      inherit (cfg.btcpayserver) user;
-      permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
+    services.liquidd = mkIf cfg.btcpayserver.lbtc {
+      enable = true;
+      listenWhitelisted = true;
     };
-
     services.postgresql = {
       enable = true;
       ensureDatabases = [ "btcpaydb" ];
@@ -154,14 +149,14 @@ in {
         network=${bitcoind.network}
         btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
         btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
-        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.port}
+        btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
         bind=${cfg.nbxplorer.address}
         port=${toString cfg.nbxplorer.port}
         ${optionalString cfg.btcpayserver.lbtc ''
           chains=btc,lbtc
           lbtcrpcuser=${liquidd.rpcuser}
           lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
-          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.port}
+          lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address bitcoind.whitelistedPort}
         ''}
       '';
     in {

modules/clightning.nix

@@ -91,8 +91,10 @@ let
     ${cfg.extraConfig}
   '';
 
-  # If the clightning onion service is enabled, use the onion port as the public port
-  publicPort = if config.nix-bitcoin.onionServices.clightning.enable or false then
+  # If a public clightning onion service is enabled, use the onion port as the public port
+  publicPort = if (config.nix-bitcoin.onionServices.clightning.enable or false)
+                  && config.nix-bitcoin.onionServices.clightning.public
+               then
                  (builtins.elemAt config.services.tor.relay.onionServices.clightning.map 0).port
                else
                  cfg.port;

modules/electrs.nix

@@ -58,9 +58,7 @@ in {
 
     services.bitcoind = {
       enable = true;
-      # Enable p2p connections
-      listen = true;
-      extraConfig = "whitelist=download@${nbLib.address cfg.address}";
+      listenWhitelisted = true;
     };
 
     systemd.tmpfiles.rules = [
@@ -88,7 +86,7 @@ in {
           --electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
           --monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
           --daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
-          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \
+          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
           ${cfg.extraArgs}
         '';
         User = cfg.user;

modules/liquid.nix

@@ -15,6 +15,37 @@ let
         default = 7042;
         description = "Override the default port on which to listen for connections.";
       };
+      onionPort = mkOption {
+        type = types.nullOr types.port;
+        # When the liquidd onion service is enabled, add an onion-tagged socket
+        # to distinguish local connections from Tor connections
+        default = if (config.nix-bitcoin.onionServices.liquidd.enable or false) then 7043 else null;
+        description = ''
+          Port to listen for Tor peer connections.
+          If set, inbound connections to this port are tagged as onion peers.
+        '';
+      };
+      listen = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:port`
+          and `address:onionPort` (if `onionPort` is set).
+        '';
+      };
+      listenWhitelisted = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Listen for peer connections at `address:whitelistedPort`.
+          Peers connected through this socket are automatically whitelisted.
+        '';
+      };
+      whitelistedPort = mkOption {
+        type = types.port;
+        default = 7044;
+        description = "See `listenWhitelisted`.";
+      };
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -70,13 +101,6 @@ let
         default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
         description = "Connect through SOCKS5 proxy";
       };
-      listen = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled, the liquid service will listen.
-        '';
-      };
       dbCache = mkOption {
         type = types.nullOr (types.ints.between 4 16384);
         default = null;
@@ -153,10 +177,14 @@ let
     ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}
 
     # Connection options
-    ${optionalString cfg.listen "bind=${cfg.address}"}
-    port=${toString cfg.port}
+    listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
+    ${optionalString cfg.listen
+      "bind=${cfg.address}:${toString cfg.port}"}
+    ${optionalString (cfg.listen && cfg.onionPort != null)
+      "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
+    ${optionalString cfg.listenWhitelisted
+      "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
-    listen=${if cfg.listen then "1" else "0"}
 
     # RPC server options
     rpcport=${toString cfg.rpc.port}

modules/netns-isolation.nix

@@ -43,14 +43,14 @@ let
     };
 
     netns = mkOption {
-      default = netns;
       readOnly = true;
+      default = netns;
       description = "Exposes netns parameters.";
     };
 
     bridgeIp = mkOption {
-      default = bridgeIp;
       readOnly = true;
+      default = bridgeIp;
       description = "IP of the netns bridge interface.";
     };
   };

modules/onion-services.nix

@@ -118,10 +118,6 @@ in {
           externalPort = 80;
         };
       };
-
-      # When the bitcoind onion service is enabled, add an onion-tagged socket
-      # to distinguish local connections from Tor connections
-      services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
     }
   ];
 }

test/tests.nix

@@ -74,16 +74,14 @@ let
       tests.charge-lnd = cfg.charge-lnd.enable;
 
       tests.electrs = cfg.electrs.enable;
-      # Sigterm is broken during IBD in version 0.9.0 https://github.com/romanz/electrs/issues/532
-      systemd.services.electrs.serviceConfig.KillSignal = "SIGKILL";
 
       tests.liquidd = cfg.liquidd.enable;
       services.liquidd.extraConfig = mkIf config.test.noConnections "connect=0";
 
       tests.btcpayserver = cfg.btcpayserver.enable;
       services.btcpayserver = {
-        lightningBackend = "lnd";
-        lbtc = true;
+        lightningBackend = mkDefault "lnd";
+        lbtc = mkDefault true;
       };
       # Needed to test macaroon creation
       environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);

test/tests.py

@@ -201,6 +201,8 @@ def _():
         f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq",
         '"version"',
     )
+    # Test web server response
+    assert_matches(f"curl -L {ip('btcpayserver')}:23000", "Welcome to your BTCPay Server")
 
 @test("spark-wallet")
 def _():