Merge fort-nix/nix-bitcoin#481: services: set systemd list options as list values
e6bb281a88
services: set systemd list options as list values (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACKe6bb281a88
Tree-SHA512: 1d2fa23de5903d32b5c0c64e362c0b21b566653dced1894c95409aed45f0a9d3a95cf1346482f0aa53da035907a12af199107b254acad820b44b87d3e88a37f7
This commit is contained in:
commit
24c3d68eee
@ -423,7 +423,7 @@ in {
|
|||||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||||
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
||||||
};
|
};
|
||||||
@ -449,7 +449,7 @@ in {
|
|||||||
serviceConfig = nbLib.defaultHardening // {
|
serviceConfig = nbLib.defaultHardening // {
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowLocalIPAddresses;
|
} // nbLib.allowLocalIPAddresses;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -192,7 +192,7 @@ in {
|
|||||||
User = cfg.nbxplorer.user;
|
User = cfg.nbxplorer.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.nbxplorer.dataDir;
|
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
||||||
MemoryDenyWriteExecute = "false";
|
MemoryDenyWriteExecute = "false";
|
||||||
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
||||||
};
|
};
|
||||||
@ -245,7 +245,7 @@ in {
|
|||||||
User = cfg.btcpayserver.user;
|
User = cfg.btcpayserver.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.btcpayserver.dataDir;
|
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
||||||
MemoryDenyWriteExecute = "false";
|
MemoryDenyWriteExecute = "false";
|
||||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
||||||
}; in self;
|
}; in self;
|
||||||
|
@ -96,7 +96,7 @@ in {
|
|||||||
User = clightning.user;
|
User = clightning.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||||
// nbLib.nodejs;
|
// nbLib.nodejs;
|
||||||
};
|
};
|
||||||
|
@ -148,7 +148,7 @@ in {
|
|||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
# Wait until the rpc socket appears
|
# Wait until the rpc socket appears
|
||||||
postStart = ''
|
postStart = ''
|
||||||
|
@ -92,7 +92,7 @@ in {
|
|||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -328,7 +328,7 @@ in {
|
|||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -368,7 +368,7 @@ in {
|
|||||||
# because it provides the wallet password via stdin to the main process
|
# because it provides the wallet password via stdin to the main process
|
||||||
SyslogIdentifier = "joinmarket-yieldgenerator";
|
SyslogIdentifier = "joinmarket-yieldgenerator";
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowTor;
|
} // nbLib.allowTor;
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
@ -106,7 +106,7 @@ in {
|
|||||||
User = lnd.user;
|
User = lnd.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -103,7 +103,7 @@ in {
|
|||||||
User = "lnd";
|
User = "lnd";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // (nbLib.allowedIPAddresses cfg.tor.enforce)
|
} // (nbLib.allowedIPAddresses cfg.tor.enforce)
|
||||||
// nbLib.allowNetlink; # required by gRPC-Go
|
// nbLib.allowNetlink; # required by gRPC-Go
|
||||||
};
|
};
|
||||||
|
@ -274,7 +274,7 @@ in {
|
|||||||
TimeoutStopSec = "10min";
|
TimeoutStopSec = "10min";
|
||||||
ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'";
|
ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -232,7 +232,7 @@ in {
|
|||||||
TimeoutSec = "15min";
|
TimeoutSec = "15min";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
ExecStartPost = let
|
ExecStartPost = let
|
||||||
curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
|
curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
|
||||||
restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
|
restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
|
||||||
|
@ -185,7 +185,7 @@ in {
|
|||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = cfg.dataDir;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||||
// nbLib.nodejs;
|
// nbLib.nodejs;
|
||||||
};
|
};
|
||||||
|
@ -46,7 +46,11 @@ let self = {
|
|||||||
|
|
||||||
# Allow takes precedence over Deny.
|
# Allow takes precedence over Deny.
|
||||||
allowLocalIPAddresses = {
|
allowLocalIPAddresses = {
|
||||||
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
|
IPAddressAllow = [
|
||||||
|
"127.0.0.1/32"
|
||||||
|
"::1/128"
|
||||||
|
"169.254.0.0/16"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
allowAllIPAddresses = { IPAddressAllow = "any"; };
|
allowAllIPAddresses = { IPAddressAllow = "any"; };
|
||||||
allowTor = self.allowLocalIPAddresses;
|
allowTor = self.allowLocalIPAddresses;
|
||||||
|
Loading…
Reference in New Issue
Block a user