Merge fort-nix/nix-bitcoin#481: services: set systemd list options as list values

e6bb281a88 services: set systemd list options as list values (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e6bb281a88

Tree-SHA512: 1d2fa23de5903d32b5c0c64e362c0b21b566653dced1894c95409aed45f0a9d3a95cf1346482f0aa53da035907a12af199107b254acad820b44b87d3e88a37f7
This commit is contained in:
Jonas Nick 2022-05-07 19:59:13 +00:00
commit 24c3d68eee
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
12 changed files with 19 additions and 15 deletions

View File

@ -423,7 +423,7 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027"; UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce } // nbLib.allowedIPAddresses cfg.tor.enforce
// optionalAttrs zmqServerEnabled nbLib.allowNetlink; // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
}; };
@ -449,7 +449,7 @@ in {
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowLocalIPAddresses; } // nbLib.allowLocalIPAddresses;
}; };

View File

@ -192,7 +192,7 @@ in {
User = cfg.nbxplorer.user; User = cfg.nbxplorer.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.nbxplorer.dataDir; ReadWritePaths = [ cfg.nbxplorer.dataDir ];
MemoryDenyWriteExecute = "false"; MemoryDenyWriteExecute = "false";
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
}; };
@ -245,7 +245,7 @@ in {
User = cfg.btcpayserver.user; User = cfg.btcpayserver.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.btcpayserver.dataDir; ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = "false"; MemoryDenyWriteExecute = "false";
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
}; in self; }; in self;

View File

@ -96,7 +96,7 @@ in {
User = clightning.user; User = clightning.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce } // nbLib.allowedIPAddresses cfg.tor.enforce
// nbLib.nodejs; // nbLib.nodejs;
}; };

View File

@ -148,7 +148,7 @@ in {
User = cfg.user; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
# Wait until the rpc socket appears # Wait until the rpc socket appears
postStart = '' postStart = ''

View File

@ -92,7 +92,7 @@ in {
Group = cfg.group; Group = cfg.group;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
}; };

View File

@ -328,7 +328,7 @@ in {
User = cfg.user; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
}; };
@ -368,7 +368,7 @@ in {
# because it provides the wallet password via stdin to the main process # because it provides the wallet password via stdin to the main process
SyslogIdentifier = "joinmarket-yieldgenerator"; SyslogIdentifier = "joinmarket-yieldgenerator";
User = cfg.user; User = cfg.user;
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowTor; } // nbLib.allowTor;
}; };
}) })

View File

@ -106,7 +106,7 @@ in {
User = lnd.user; User = lnd.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
}; };

View File

@ -103,7 +103,7 @@ in {
User = "lnd"; User = "lnd";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // (nbLib.allowedIPAddresses cfg.tor.enforce) } // (nbLib.allowedIPAddresses cfg.tor.enforce)
// nbLib.allowNetlink; # required by gRPC-Go // nbLib.allowNetlink; # required by gRPC-Go
}; };

View File

@ -274,7 +274,7 @@ in {
TimeoutStopSec = "10min"; TimeoutStopSec = "10min";
ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'"; ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
}; };

View File

@ -232,7 +232,7 @@ in {
TimeoutSec = "15min"; TimeoutSec = "15min";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
ExecStartPost = let ExecStartPost = let
curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}"; curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1"; restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";

View File

@ -185,7 +185,7 @@ in {
User = cfg.user; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = [ cfg.dataDir ];
} // nbLib.allowedIPAddresses cfg.tor.enforce } // nbLib.allowedIPAddresses cfg.tor.enforce
// nbLib.nodejs; // nbLib.nodejs;
}; };

View File

@ -46,7 +46,11 @@ let self = {
# Allow takes precedence over Deny. # Allow takes precedence over Deny.
allowLocalIPAddresses = { allowLocalIPAddresses = {
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16"; IPAddressAllow = [
"127.0.0.1/32"
"::1/128"
"169.254.0.0/16"
];
}; };
allowAllIPAddresses = { IPAddressAllow = "any"; }; allowAllIPAddresses = { IPAddressAllow = "any"; };
allowTor = self.allowLocalIPAddresses; allowTor = self.allowLocalIPAddresses;