netns: add option 'allowedUser' for modules-only usage

The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
This commit is contained in:
Erik Arvstedt 2020-08-21 22:36:01 +02:00
parent 9715134f06
commit 121301337b
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
2 changed files with 10 additions and 1 deletions

View File

@ -75,6 +75,14 @@ in {
}; };
}); });
}; };
allowedUser = mkOption {
type = types.str;
description = ''
User that is allowed to execute commands in the service network namespaces.
The user's group is also authorized.
'';
};
}; };
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
@ -88,7 +96,7 @@ in {
security.wrappers.netns-exec = { security.wrappers.netns-exec = {
source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec"; source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
capabilities = "cap_sys_admin=ep"; capabilities = "cap_sys_admin=ep";
owner = "${config.nix-bitcoin.operatorName}"; owner = cfg.allowedUser;
permissions = "u+rx,g+rx,o-rwx"; permissions = "u+rx,g+rx,o-rwx";
}; };

View File

@ -238,6 +238,7 @@ in {
[ cfg.hardware-wallets.group ]); [ cfg.hardware-wallets.group ]);
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
}; };
nix-bitcoin.netns-isolation.allowedUser = operatorName;
# Give operator access to onion hostnames # Give operator access to onion hostnames
services.onion-chef.enable = true; services.onion-chef.enable = true;
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];