Run nodeinfo
to see onion addresses and local addresses for enabled services.
NixOS uses the systemd service manager.
Usage:
# Show service status
systemctl status bitcoind
# Show the last 100 log messages
journalctl -u bitcoind -n 100
# Show all log messages since the last system boot
journalctl -b -u bitcoind
# These commands require root permissions
systemctl stop bitcoind
systemctl start bitcoind
systemctl restart bitcoind
# Show the service definition
systemctl cat bitcoind
# Show all service parameters
systemctl show bitcoind
Normally you would connect to RTL via SSH tunneling with a command like this
ssh -L 3000:localhost:3000 root@bitcoin-node
Or like this, if you are using netns-isolation
ssh -L 3000:169.254.1.29:3000 root@bitcoin-node
Otherwise, you can access it via Tor Browser at http://<onion-address>
.
You can find the <onion-address>
with command nodeinfo
.
The default password location is $secretsDir/rtl-password
.
See: Secrets dir
-
Install Zeus
-
Edit your
configuration.nix
Add the following config:
services.lnd.lndconnectOnion.enable = true;
Add the following config:
services.clightning-rest = { enable = true; lndconnectOnion.enable = true; };
-
Deploy your configuration
-
Run the following command on your node (as user
operator
) to create a QR code with address and authentication information:lndconnect-onion
lndconnect-onion-clightning
-
Configure Zeus
- Add a new node
- Select
Scan lndconnect config
(at the bottom) and scan the QR code - For clightning: Set
Node interface
toc-lightning-REST
- Click
Save node config
- Start sending and stacking sats privately
Create plain text URLs or QR code images:
lndconnect-onion --url
lndconnect-onion --image
Create a QR code for a custom hostname:
lndconnect-onion --host=mynode.org
- Android phone
- Orbot installed from F-Droid (recommended) or Google Play
- Spark-wallet installed from direct download or Google Play
-
Enable spark-wallet in
configuration.nix
Change
# services.spark-wallet.enable = true;
to
services.spark-wallet.enable = true;
-
Deploy new
configuration.nix
-
Enable Orbot VPN for spark-wallet
Open Orbot app Turn on "VPN Mode" Select Gear icon under "Tor-Enabled Apps" Toggle checkbox under Spark icon
-
Get the onion address, access key and QR access code for the spark wallet android app
journalctl -eu spark-wallet
Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
-
Connect to spark-wallet android app
Server Settings Scan QR Done
- Android phone
- Orbot installed from F-Droid (recommended) or Google Play
- Electrum mobile app 4.0.1 and newer installed from direct download or Google Play
- Tor installed from source or repository
- Electrum installed
-
Enable electrs in
configuration.nix
Change
# services.electrs.enable = true;
to
services.electrs.enable = true;
-
Deploy new
configuration.nix
-
Get electrs onion address with format
<onion-address>:<port>
nodeinfo | jq -r .electrs.onion_address
-
Connect to electrs
Make sure Tor is running on Desktop or as Orbot on Android.
On Desktop
electrum --oneserver -1 -s "<electrs onion address>:t" -p socks5:localhost:9050
On Android
Three dots in the upper-right-hand corner Network > Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 Network > Auto-connect: OFF Network > One-server mode: ON Network > Server: <electrs onion address>:t
-
Get the SSH onion address (excluding the port suffix)
ssh operator@bitcoin-node nodeinfo | jq -r .sshd.onion_address | sed 's/:.*//'
-
Create a SSH key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
-
Place the ed25519 key's fingerprint in the
configuration.nix
openssh.authorizedKeys.keys
field like so# FIXME: Add your SSH pubkey services.openssh.enable = true; users.users.root = { openssh.authorizedKeys.keys = [ "<contents of ~/.ssh/id_ed25519.pub>" ]; };
-
Connect to your nix-bitcoin node's SSH onion service, forwarding a local port to the nix-bitcoin node's SSH server
ssh -i ~/.ssh/id_ed25519 -L <random port of your choosing>:localhost:22 root@<SSH onion address>
-
Edit your deployment tool's configuration and change the node's address to
localhost
and the ssh port to<random port of your choosing>
. If you use krops as described in the installation tutorial, settarget = "localhost:<random port of your choosing>";
inkrops/deploy.nix
. -
After deploying the new configuration, it will connect through the SSH tunnel you established in step iv. This also allows you to do more complex SSH setups that some deployment tools don't support. An example would be authenticating with Trezor's SSH agent, which provides extra security.
-
Enable Trezor in
configuration.nix
Change
# services.hardware-wallets.trezor = true;
to
services.hardware-wallets.trezor = true;
-
Deploy new
configuration.nix
-
Check that your nix-bitcoin node recognizes your Trezor
ssh operator@bitcoin-node lsusb
Should show something relating to your Trezor
-
If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode
Trezor v1
Plug in your Trezor with both buttons depressed
Trezor v2
Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through
-
If your Trezor's firmware is outdated: Update your Trezor's firmware
trezorctl firmware-update
Follow the on-screen instructions
Caution: This command will wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.
-
If your Trezor is not yet initialized: Set up your Trezor
trezorctl reset-device -p
Follow the on-screen instructions
-
Find your Trezor
hwi enumerate hwi -t trezor -d <path from previous command> promptpin hwi -t trezor -d <path> sendpin <number positions for the PIN as displayed on your device's screen> hwi enumerate
-
Follow Bitcoin Core's instructions on Using Bitcoin Core with Hardware Wallets to use your Trezor with
bitcoin-cli
on your nix-bitcoin node
For clarity reasons, nix-bitcoin renames all scripts to jm-*
without .py
, for
example wallet-tool.py
becomes jm-wallet-tool
. The rest of this section
details nix-bitcoin specific workflows for JoinMarket.
By default, a wallet is automatically generated at service startup.
It's stored at /var/lib/joinmarket/wallets/wallet.jmdat
, and its mnmenoic recovery
seed phrase is stored at /var/lib/joinmarket/jm-wallet-seed
.
A missing wallet file is automatically recreated if the seed file is still present.
If you want to manually initialize your wallet instead, follow these steps:
-
Enable JoinMarket in your node configuration
services.joinmarket.enable = true;
-
Move the automatically generated
wallet.jmdat
mv /var/lib/joinmarket/wallet.jmdat /var/lib/joinmarket/bak.jmdat
-
Generate wallet on your node
jm-wallet-tool generate
Follow the on-screen instructions and write down your seed.
In order to use nix-bitcoin's
joinmarket.yieldgenerator
, use the password from$secretsDir/jm-wallet-password
and use the suggested default wallet namewallet.jmdat
. If you want to use your ownjm-wallet-password
, simply replace the password string in your local secrets directory. See: Secrets dir
The tumbler needs to be able to run in the background for a long time, use screen to run it accross SSH sessions. You can also use tmux in the same fashion.
-
Add screen to your
environment.systemPackages
, for exampleenvironment.systemPackages = with pkgs; [ vim screen ];
-
Start the screen session
screen -S "tumbler"
-
Start the tumbler
Example: Tumbling into your wallet after buying from an exchange to improve privacy:
jm-tumbler wallet.jmdat <addr1> <addr2> <addr3>
After tumbling your bitcoin end up in these three addresses. You can now spend them without the exchange collecting data on your purchases.
Get more information here
-
Detach the screen session to leave the tumbler running in the background
Ctrl-a d or Ctrl-a Ctrl-d
-
Re-attach to the screen session
screen -r tumbler
-
End screen session
Type exit when tumbler is done
exit
The maker/yield generator in nix-bitcoin is implemented using a systemd service.
See here for more yield generator information.
-
Enable yield generator bot in your node configuration
services.joinmarket.yieldgenerator = { enable = true; # Optional: Add custom parameters txfee = 200; cjfee_a = 300; }; '';
-
Check service status
systemctl status joinmarket-yieldgenerator
-
Profit
There is a number of plugins available for clightning.
See Readme: Features → clightning
or search.nixos.org for a complete list.
You can activate and configure these plugins like so:
services.clightning = {
enable = true;
plugins = {
prometheus.enable = true;
prometheus.listen = "0.0.0.0:9900";
};
};
Please have a look at the module for a plugin (e.g. prometheus.nix) to learn its configuration options.