bitcoind: host behind tor
This commit is contained in:
parent
276de5d662
commit
7378d6c5b2
|
@ -1,5 +1,9 @@
|
||||||
# as of 2023/12/02: complete blockchain is 530 GiB (on-disk size may be larger)
|
# as of 2023/12/02: complete blockchain is 530 GiB (on-disk size may be larger)
|
||||||
#
|
#
|
||||||
|
# ports:
|
||||||
|
# - 8333: for node-to-node communications
|
||||||
|
# - 8332: rpc (client-to-node)
|
||||||
|
#
|
||||||
# rpc setup:
|
# rpc setup:
|
||||||
# - generate a password
|
# - generate a password
|
||||||
# - use: <https://github.com/bitcoin/bitcoin/blob/master/share/rpcauth/rpcauth.py>
|
# - use: <https://github.com/bitcoin/bitcoin/blob/master/share/rpcauth/rpcauth.py>
|
||||||
|
@ -10,22 +14,49 @@
|
||||||
# - add "rpcuser=colin" and "rpcpassword=<output>" to secrets/servo/bitcoin.conf (i.e. ~/.bitcoin/bitcoin.conf)
|
# - add "rpcuser=colin" and "rpcpassword=<output>" to secrets/servo/bitcoin.conf (i.e. ~/.bitcoin/bitcoin.conf)
|
||||||
# - bitcoin.conf docs: <https://github.com/bitcoin/bitcoin/blob/master/doc/bitcoin-conf.md>
|
# - bitcoin.conf docs: <https://github.com/bitcoin/bitcoin/blob/master/doc/bitcoin-conf.md>
|
||||||
# - validate with `bitcoin-cli -netinfo`
|
# - validate with `bitcoin-cli -netinfo`
|
||||||
{ config, sane-lib, ... }:
|
{ config, lib, pkgs, sane-lib, ... }:
|
||||||
|
let
|
||||||
|
# wrapper to run bitcoind with the tor onion address as externalip (computed at runtime)
|
||||||
|
_bitcoindWithExternalIp = with pkgs; writeShellScriptBin "bitcoind" ''
|
||||||
|
externalip="$(cat /var/lib/tor/onion/bitcoind/hostname)"
|
||||||
|
exec ${bitcoind}/bin/bitcoind "-externalip=$externalip" "$@"
|
||||||
|
'';
|
||||||
|
# the package i provide to services.bitcoind ends up on system PATH, and used by other tools like clightning.
|
||||||
|
# therefore, even though services.bitcoind only needs `bitcoind` binary, provide all the other bitcoin-related binaries (notably `bitcoin-cli`) as well:
|
||||||
|
bitcoindWithExternalIp = with pkgs; symlinkJoin {
|
||||||
|
name = "bitcoind-with-external-ip";
|
||||||
|
paths = [ _bitcoindWithExternalIp bitcoind ];
|
||||||
|
};
|
||||||
|
in
|
||||||
{
|
{
|
||||||
sane.persist.sys.byStore.ext = [
|
sane.persist.sys.byStore.ext = [
|
||||||
# /var/lib/monero/lmdb is what consumes most of the space
|
# /var/lib/monero/lmdb is what consumes most of the space
|
||||||
{ user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
|
{ user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
sane.ports.ports."8333" = {
|
# sane.ports.ports."8333" = {
|
||||||
# this allows other nodes and clients to download blocks from me.
|
# # this allows other nodes and clients to download blocks from me.
|
||||||
protocol = [ "tcp" ];
|
# protocol = [ "tcp" ];
|
||||||
visibleTo.wan = true;
|
# visibleTo.wan = true;
|
||||||
description = "colin-bitcoin";
|
# description = "colin-bitcoin";
|
||||||
|
# };
|
||||||
|
|
||||||
|
services.tor.relay.onionServices.bitcoind = {
|
||||||
|
version = 3;
|
||||||
|
map = [{
|
||||||
|
# by default tor will route public tor port P to 127.0.0.1:P.
|
||||||
|
# so if this port is the same as clightning would natively use, then no further config is needed here.
|
||||||
|
# see: <https://2019.www.torproject.org/docs/tor-manual.html.en#HiddenServicePort>
|
||||||
|
port = 8333;
|
||||||
|
# target.port; target.addr; #< set if tor port != clightning port
|
||||||
|
}];
|
||||||
|
# allow "tor" group (i.e. bitcoind-mainnet) to read /var/lib/tor/onion/bitcoind/hostname
|
||||||
|
settings.HiddenServiceDirGroupReadable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.bitcoind.mainnet = {
|
services.bitcoind.mainnet = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = bitcoindWithExternalIp;
|
||||||
rpc.users.colin = {
|
rpc.users.colin = {
|
||||||
# see docs at top of file for how to generate this
|
# see docs at top of file for how to generate this
|
||||||
passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
|
passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
|
||||||
|
@ -33,16 +64,21 @@
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
# don't load the wallet, and disable wallet RPC calls
|
# don't load the wallet, and disable wallet RPC calls
|
||||||
disablewallet=1
|
disablewallet=1
|
||||||
# TODO: configure tor integration
|
# proxy all outbound traffic through Tor
|
||||||
# proxy=127.0.0.1:9050
|
proxy=127.0.0.1:9050
|
||||||
# externalip=$(cat /var/lib/tor/onion/bitcoind/hostname)
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.bitcoind-mainnet.extraGroups = [ "tor" ];
|
||||||
|
|
||||||
|
systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s"; #< default is 0
|
||||||
|
|
||||||
sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
|
sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
|
||||||
sops.secrets."bitcoin.conf" = {
|
sops.secrets."bitcoin.conf" = {
|
||||||
mode = "0600";
|
mode = "0600";
|
||||||
owner = "colin";
|
owner = "colin";
|
||||||
group = "users";
|
group = "users";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sane.programs.bitcoind.enableFor.user.colin = true; # for debugging/administration: `bitcoin-cli`
|
||||||
}
|
}
|
||||||
|
|
|
@ -78,5 +78,5 @@
|
||||||
group = "clightning";
|
group = "clightning";
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.programs.clightning.enableFor.user.colin = true; # put `lightning-cli` onto PATH
|
sane.programs.clightning.enableFor.user.colin = true; # for debugging/admin: `lightning-cli`
|
||||||
}
|
}
|
||||||
|
|
|
@ -143,7 +143,8 @@ in
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
systemd.services.clightning = {
|
systemd.services.clightning = {
|
||||||
path = [ bitcoind.package ];
|
path = [ bitcoind.package ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
# note the wantedBy bitcoind: this should make it so that a bitcoind restart causes clightning to also restart (instead of to only stop)
|
||||||
|
wantedBy = [ "bitcoind-${cfg.bitcoindName}.service" "multi-user.target" ];
|
||||||
requires = [ "bitcoind-${cfg.bitcoindName}.service" ];
|
requires = [ "bitcoind-${cfg.bitcoindName}.service" ];
|
||||||
after = [ "bitcoind-${cfg.bitcoindName}.service" ];
|
after = [ "bitcoind-${cfg.bitcoindName}.service" ];
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user