greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

clightning: allow group access to RPC socket

Browse Source
This commit is contained in:
nixbitcoin 2020-05-18 14:32:49 +00:00
parent 304dd297ba
commit 0ba55757f8
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
2 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/clightning.nix
View File

@ -13,6 +13,7 @@ let
always-use-proxy=${if cfg.always-use-proxy then "true" else "false"} always-use-proxy=${if cfg.always-use-proxy then "true" else "false"}
${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"} ${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"}
bitcoin-rpcuser=${cfg.bitcoin-rpcuser} bitcoin-rpcuser=${cfg.bitcoin-rpcuser}
rpc-file-mode=0660
''; '';
in { in {
options.services.clightning = { options.services.clightning = {
@ -61,10 +62,8 @@ in {
cli = mkOption { cli = mkOption {
readOnly = true; readOnly = true;
default = pkgs.writeScriptBin "lightning-cli" default = pkgs.writeScriptBin "lightning-cli"
# Switch user because c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
'' ''
exec sudo -u clightning ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@" ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
''; '';
description = "Binary to connect with the clightning instance."; description = "Binary to connect with the clightning instance.";
}; };
@ -110,6 +109,8 @@ in {
while [[ ! -e ${cfg.dataDir}/bitcoin/lightning-rpc ]]; do while [[ ! -e ${cfg.dataDir}/bitcoin/lightning-rpc ]]; do
sleep 0.1 sleep 0.1
done done
# Needed to enable lightning-cli for users with group 'clightning'
chmod g+x ${cfg.dataDir}/bitcoin
''; '';
}; };
}; };

5
modules/presets/secure-node.nix
View File

@ -132,12 +132,7 @@ in {
services.onion-chef.enable = true; services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
security.sudo.configFile = security.sudo.configFile =
(optionalString cfg.clightning.enable ''
operator ALL=(clightning) NOPASSWD: ALL
'') +
(optionalString cfg.lnd.enable '' (optionalString cfg.lnd.enable ''
operator ALL=(lnd) NOPASSWD: ALL operator ALL=(lnd) NOPASSWD: ALL
''); '');