profile
viewpoint
Carl Dong dongcarl @chaincodelabs New York carldong.io Bitcoin, UNIX, systems engineering.

dongcarl/homebrew-carchey 3

An archey script clone for OS X written in C

dongcarl/afid 0

Adaptive Finger Input Device

dongcarl/apple-sdk-tools 0

Maintainer Wanted: python tools for extracting Apple xcode/sdk files

dongcarl/bastion 0

Nerf Bastion.

dongcarl/beats 0

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash

dongcarl/bips 0

Bitcoin Improvement Proposals

dongcarl/bitcoin 0

Bitcoin Core integration/staging tree

dongcarl/bitcoin-guix 0

Bitcoin Core Guix Channel

startedBitcoinDesign/Meta

started time in 3 hours

startedjnewbery/bitcoin-core-stats

started time in 3 hours

startediheartradio/play-swagger

started time in 3 hours

startedzw/bitcoin-gh-meta

started time in 5 hours

created repositoryjedisct1/voprf-libsodium

A VOPRF implementation for libsodium

created time in 6 hours

fork thomaseizinger/rust-libp2p-tokio-socks5

Libp2p transport for sending TCP traffic via a SOCKS5 proxy e.g., over Tor network.

fork in a day

issue openedfort-nix/nix-bitcoin

Add helper for publishing bitcoin.pdf

This feature will make whitepaper more available. Similar feature was already implemented in Debian repository and is being worked on in BTCPayServer.

created time in a day

startednumworks/dieter

started time in a day

issue openedfort-nix/nix-bitcoin

Implement relevant steps from @madaidan "Linux Hardening Guide"

@madaidan's Linux Hardening Guide provides many useful steps to further locking down Linux systems. I have picked apart the guide and isolated the steps that could further improve nix-bitcoin's security. Harmless changes are intended to be implemented in /modules/profiles/hardened.nix. Steps that will cause significant speed decreases and functionality limitations/breakage should be placed in an optional /modules/profiles/hardened-paranoia.nix.

  • Use musl as the default C library https://github.com/NixOS/nixpkgs/issues/90147
  • Use LibreSSL by default
  • Kernel settings
    • kernel.printk=3 3 3 3
    • dev.tty.ldisc_autoload=0
    • kernel.sysrq=4
    • net.ipv4.tcp_rfc1337=1
    • net.ipv4.icmp_echo_ignore_all
    • net.ipv6.conf.all.accept_ra=0
    • net.ipv6.conf.default.accept_ra=0
    • net.ipv4.tcp_sack=0
    • net.ipv4.tcp_dsack=0
    • kernel.yama.ptrace_scope=2
    • fs.protected_fifos=2
    • fs.protected_regular=2
  • Boot parameters
    • slab_nomerge
    • vsyscall=none
    • debugfs=off
    • oops=panic
    • module.sig_enforce=1
    • lockdown=confidentiality
    • mce=0
    • quiet loglevel=0
    • Selection of spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force applicable to user CPU
  • Kernel attack service restriction
    • Blacklist modules
      dccp
      sctp
      rds
      tipc
      n-hdlc
      x25
      decnet
      econet
      af_802154
      ipx
      appletalk
      psnap
      p8023
      p8022
      can
      atm
      jffs2
      hfsplus
      squashfs
      udf
      cifs
      nfs
      nfsv3
      nfsv4
      gfs2
      vivid
      bluetooth
      btusb
      uvcvideo
      
    • Restrict access to sysfs / implement https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/hide-hardware-info
  • MAC
    • Setup a full system MAC policy that confines every single user space process by implementing an initramfs hook which enforces a MAC policy for the init system
  • Sandbox escapes
    • D-BUS
      • Block access to D-Bus from within systemd services
    • Blacklist TIOCSTI
  • Systemd sandboxing
    ProtectKernelLogs=true
    ProtectClock=true
    ProtectProc=invisible
    ProcSubset=pid
    
  • Run system-services with gVisor
  • Use hardened_malloc system-wide
  • Compile as many programs as possible with hardened compilation flags (maybe also upstream)
  • Restrict root and implement sudo (possible with krops https://github.com/krebs/krops/commit/cd215753338c9e077516deabac11735dfb624f06)
  • Unique Identifiers
    • User generic hostname
    • Use generic Machine ID
    • Ignore ICMP requests
    • net.ipv4.tcp_timestamps=0
  • UMASK
    • system-wide umask 0077 for new files
  • Core dumps
    • Disable via sysctl with kernel.core_pattern=|/bin/false
    • fs.suid_dumpable=0
  • Swap
    • Only swap when absolutely necessary vm.swappiness=1
  • Microcode
    • Install microcode updates by default (Intel & AMD)
  • Partitioning and mount options
    • Separate /home /var /tmp /boot etc. into various partitions with fine-grained control over permissions
  • Editing files as root
    • Disable and use sudoedit
  • USBs
    • Block all newly connected USBs and provide way for user to whitelist trusted devices
  • Direct memory access (DMA) attacks
    • Enable the IOMMU
    • efi=disable_early_pci_dma
    • Blacklist FireWire and Thunderbolt Kernel modules

created time in a day

PR merged fort-nix/nix-bitcoin

electrs: v0.8.6 -> v0.8.7

This PR updates our electrs package. Eventhough this release doesn't bring significant new features I still think its good to keep up-to-date.

+3 -3

0 comment

1 changed file

nixbitcoin

pr closed time in 2 days

push eventfort-nix/nix-bitcoin

nixbitcoin

commit sha 69da6f94f16bae90ebbea99b656c483e2f6ca2bc

electrs: v0.8.6 -> v0.8.7

view details

Jonas Nick

commit sha 0de91d1b0353047fbfaf5324a0e9f455dac60fe3

Merge #302: electrs: v0.8.6 -> v0.8.7 69da6f94f16bae90ebbea99b656c483e2f6ca2bc electrs: v0.8.6 -> v0.8.7 (nixbitcoin) Pull request description: ACKs for top commit: erikarvstedt: ACK 69da6f94f16bae90ebbea99b656c483e2f6ca2bc Tree-SHA512: 773c37cbd48e62e123cbc439e395d4dd1320199b22bd64066680429245ce9638cc210c35043f1edbc3030f96b5ce97fe464dc4bc9c9a89f1265ed72d66f2bc49

view details

push time in 2 days

startedOmega-Numworks/Omega

started time in 2 days

issue openedfort-nix/nix-bitcoin

Bitcoind 0.21 problem heads up

Just a heads up that the new version of bitcoind sometimes gets stuck at start. I discovered it when trying to create a Debian package and what looks like the same problem was found in bitcoind CI.

It is possible that I made some mistake, so you may decide to try it anyway with heavy testing. If you happen to find out please let me know.

I will try to be helpful if anyone wants to investigate but probably will not have a huge amount of time in the upcoming days/weeks.

created time in 2 days

Pull request review commentfort-nix/nix-bitcoin

WIP: Remove nixops examples and as recommended deployment method; replace with krops

+let+  # FIXME+  target = "root@NODE_SSH_HOST_OR_IP_ADDRESS_OR_HOST_NAME_HERE";++  pkgs = import <nixpkgs> {};+  nixBitcoinPkgs = import <nix-bitcoin> {};+  source = nixBitcoinPkgs.krops.lib.evalSource [{+    nixpkgs.file = {+      path = toString <nixpkgs>;+      useChecksum = true;+    };+    nix-bitcoin.file = {+      path = toString <nix-bitcoin>;+      useChecksum = true;+    };

I think we should exclude the .git folder for people deploying from git repos

    filters = [
      {
        type = "exclude";
        pattern = ".git";
      }
    ];
jonasnick

comment created time in 2 days

PR opened fort-nix/nix-bitcoin

electrs: v0.8.6 -> v0.8.7

This PR updates our electrs package. Eventhough this release doesn't bring significant new features I still think its good to keep up-to-date.

+3 -3

0 comment

1 changed file

pr created time in 2 days

pull request commentfort-nix/nix-bitcoin

Fix lnd nodeinfo

The Cirrus CI bug that caused a failure for this PR has now been fixed.

sputn1ck

comment created time in 4 days

startedberty/berty

started time in 4 days

fork valentinewallace/polar

One-click Bitcoin Lightning networks for local app development & testing

https://lightningpolar.com

fork in 4 days

startedenjoy-digital/usb3_pipe

started time in 5 days

issue openedfort-nix/nix-bitcoin

Make nix-bitcoin options more discoverable

Nix-bitcoin should provide an options manpage similar to man configuration.nix. Ideally, it would also work in the examples nix-shell.

created time in 5 days

created tagfort-nix/nix-bitcoin

tagv0.0.31

A collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

created time in 5 days

release fort-nix/nix-bitcoin

v0.0.31

released time in 5 days

PR merged fort-nix/nix-bitcoin

JoinMarket Orderbook Watcher

This PR adds the obwatcher script to the joinmarket package and adds a stand-alone joinmarket-obwatcher module.

I decided to make this module independent from the joinmarket module following the principle of least principle. It does not need to interact in anyway with the existing bitcoind or joinmarket services.

+135 -9

19 comments

12 changed files

nixbitcoin

pr closed time in 5 days

push eventfort-nix/nix-bitcoin

Erik Arvstedt

commit sha 254246cf39e88c843a75ce7ef8dd0c7de2d0100e

joinmarket: use installPhase This simplifies the build.

view details

Erik Arvstedt

commit sha 915df059f43b2e3ec872094630d15e46c5386864

joinmarket: 0.8.0-bcfa7eb -> 0.8.0-a5e8879

view details

nixbitcoin

commit sha 8c125ec48c3f3caabab65acd2d7c9f2dffe1a2d3

joinmarket-obwatcher: add pkg & module

view details

Jonas Nick

commit sha 035438d4273ef2d762752314d4596fbb9146fec5

Merge #290: JoinMarket Orderbook Watcher 8c125ec48c3f3caabab65acd2d7c9f2dffe1a2d3 joinmarket-obwatcher: add pkg & module (nixbitcoin) 915df059f43b2e3ec872094630d15e46c5386864 joinmarket: 0.8.0-bcfa7eb -> 0.8.0-a5e8879 (Erik Arvstedt) 254246cf39e88c843a75ce7ef8dd0c7de2d0100e joinmarket: use installPhase (Erik Arvstedt) Pull request description: ACKs for top commit: erikarvstedt: ACK 8c125ec48c3f3caabab65acd2d7c9f2dffe1a2d3 Tree-SHA512: 5e4ba14a2a90c505b7cd7e09c33548d06ec466502c48f8d551a4437c5542dab427ec7f9cb7a15c849cc7ce11685c493b9773ec08591e1980ebe2a84abef17141

view details

push time in 5 days

PR merged fort-nix/nix-bitcoin

Fix lnd nodeinfo

nodeinfo used lightning-cli for getting the pubkey.

Now the output is the pubkey as expected.

+1 -1

2 comments

1 changed file

sputn1ck

pr closed time in 5 days

push eventfort-nix/nix-bitcoin

kon

commit sha 9480ada13517f61fa1d6868f62c81951e1f75696

nodeinfo fix lnd

view details

Jonas Nick

commit sha ecf119d5453d9475743aaf0b96fdefc60fde2d23

Merge #300: Fix lnd nodeinfo 9480ada13517f61fa1d6868f62c81951e1f75696 nodeinfo fix lnd (kon) Pull request description: ACKs for top commit: nixbitcoin: ACK 9480ada13517f61fa1d6868f62c81951e1f75696 Tree-SHA512: 5da72fa8b6341b8248348acf23916d5325cf8f1d58606103aee2881824f83249d128e84d92cd2ca51cea3e6b64b1a6e457bde4689335998e5f8525d7f366bfdc

view details

push time in 5 days

pull request commentfort-nix/nix-bitcoin

Fix lnd nodeinfo

Good catch @sputn1ck!

sputn1ck

comment created time in 5 days

pull request commentfort-nix/nix-bitcoin

Fix lnd nodeinfo

Cirrus CI failed because of an issue related to https://github.com/cirruslabs/cirrus-ci-agent/issues/89#issuecomment-742782184. The PR itself passes the tests. I'll investigate this later.

sputn1ck

comment created time in 5 days

PR opened fort-nix/nix-bitcoin

Fix lnd nodeinfo

nodeinfo used lightning-cli for getting the pubkey.

Now the output is the pubkey as expected.

+1 -1

0 comment

1 changed file

pr created time in 5 days

more