rename onion-chef -> nix-bitcoin.onionAddresses
This clarifies its function.
This commit is contained in:
parent
55073eee70
commit
5c6977b006
@ -6,7 +6,7 @@ let
|
||||
cfg = config.services.clightning;
|
||||
inherit (config) nix-bitcoin-services;
|
||||
nbPkgs = config.nix-bitcoin.pkgs;
|
||||
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
|
||||
onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
|
||||
network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest";
|
||||
configFile = pkgs.writeText "config" ''
|
||||
network=${network}
|
||||
@ -108,13 +108,13 @@ in {
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
services.onion-chef.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
|
||||
nix-bitcoin.onionAddresses.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
|
||||
systemd.services.clightning = {
|
||||
description = "Run clightningd";
|
||||
path = [ nbPkgs.bitcoind ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "bitcoind.service" ] ++ onion-chef-service;
|
||||
after = [ "bitcoind.service" ] ++ onion-chef-service;
|
||||
requires = [ "bitcoind.service" ] ++ onionAddressesService;
|
||||
after = [ "bitcoind.service" ] ++ onionAddressesService;
|
||||
preStart = ''
|
||||
cp ${configFile} ${cfg.dataDir}/config
|
||||
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
|
||||
@ -122,7 +122,7 @@ in {
|
||||
rm -f ${cfg.networkDir}/lightning-rpc
|
||||
chmod 640 ${cfg.dataDir}/config
|
||||
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config'
|
||||
${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"}
|
||||
${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-addresses/clightning/clightning) >> '${cfg.dataDir}/config'"}
|
||||
'';
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
|
||||
|
@ -9,7 +9,7 @@ let
|
||||
|
||||
bitcoind = config.services.bitcoind;
|
||||
bitcoindRpcAddress = bitcoind.rpc.address;
|
||||
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
|
||||
onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
|
||||
networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}";
|
||||
configFile = pkgs.writeText "lnd.conf" ''
|
||||
datadir=${cfg.dataDir}
|
||||
@ -165,16 +165,16 @@ in {
|
||||
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
|
||||
};
|
||||
|
||||
services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
|
||||
nix-bitcoin.onionAddresses.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
|
||||
systemd.services.lnd = {
|
||||
description = "Run LND";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "bitcoind.service" ] ++ onion-chef-service;
|
||||
after = [ "bitcoind.service" ] ++ onion-chef-service;
|
||||
requires = [ "bitcoind.service" ] ++ onionAddressesService;
|
||||
after = [ "bitcoind.service" ] ++ onionAddressesService;
|
||||
preStart = ''
|
||||
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
|
||||
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf'
|
||||
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
|
||||
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-addresses/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
|
||||
'';
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
RuntimeDirectory = "lnd"; # Only used to store custom macaroons
|
||||
|
@ -24,9 +24,9 @@ with lib;
|
||||
# Support features
|
||||
./versioning.nix
|
||||
./security.nix
|
||||
./onion-addresses.nix
|
||||
./netns-isolation.nix
|
||||
./backups.nix
|
||||
./onion-chef.nix
|
||||
];
|
||||
|
||||
disabledModules = [ "services/networking/bitcoind.nix" ];
|
||||
|
@ -7,12 +7,12 @@ let
|
||||
script = pkgs.writeScriptBin "nodeinfo" ''
|
||||
set -eo pipefail
|
||||
|
||||
BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)"
|
||||
BITCOIND_ONION="$(cat /var/lib/onion-addresses/${operatorName}/bitcoind)"
|
||||
echo BITCOIND_ONION="$BITCOIND_ONION"
|
||||
|
||||
if systemctl is-active --quiet clightning; then
|
||||
CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
|
||||
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)"
|
||||
CLIGHTNING_ONION="$(cat /var/lib/onion-addresses/${operatorName}/clightning)"
|
||||
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
|
||||
echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
|
||||
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
|
||||
@ -24,37 +24,37 @@ let
|
||||
echo LND_NODEID="$LND_NODEID"
|
||||
fi
|
||||
|
||||
NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx
|
||||
NGINX_ONION_FILE=/var/lib/onion-addresses/${operatorName}/nginx
|
||||
if [ -e "$NGINX_ONION_FILE" ]; then
|
||||
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
|
||||
echo NGINX_ONION="$NGINX_ONION"
|
||||
fi
|
||||
|
||||
LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd
|
||||
LIQUIDD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/liquidd
|
||||
if [ -e "$LIQUIDD_ONION_FILE" ]; then
|
||||
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
|
||||
echo LIQUIDD_ONION="$LIQUIDD_ONION"
|
||||
fi
|
||||
|
||||
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet
|
||||
SPARKWALLET_ONION_FILE=/var/lib/onion-addresses/${operatorName}/spark-wallet
|
||||
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
|
||||
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
|
||||
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
|
||||
fi
|
||||
|
||||
ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs
|
||||
ELECTRS_ONION_FILE=/var/lib/onion-addresses/${operatorName}/electrs
|
||||
if [ -e "$ELECTRS_ONION_FILE" ]; then
|
||||
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
|
||||
echo ELECTRS_ONION="$ELECTRS_ONION"
|
||||
fi
|
||||
|
||||
BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver
|
||||
BTCPAYSERVER_ONION_FILE=/var/lib/onion-addresses/${operatorName}/btcpayserver
|
||||
if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
|
||||
BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
|
||||
echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
|
||||
fi
|
||||
|
||||
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
|
||||
SSHD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/sshd
|
||||
if [ -e "$SSHD_ONION_FILE" ]; then
|
||||
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
||||
echo SSHD_ONION="$SSHD_ONION"
|
||||
|
@ -1,17 +1,18 @@
|
||||
# The onion chef module allows unprivileged users to read onion hostnames.
|
||||
# By default the onion hostnames in /var/lib/tor/onion are only readable by the
|
||||
# tor user. The onion chef copies the onion hostnames into into
|
||||
# /var/lib/onion-chef and sets permissions according to the access option.
|
||||
# This module enables unprivileged users to read onion addresses.
|
||||
# By default, onion addresses in /var/lib/tor/onion are only readable by the
|
||||
# tor user.
|
||||
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
|
||||
# and sets permissions according to option 'access'.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.onion-chef;
|
||||
cfg = config.nix-bitcoin.onionAddresses;
|
||||
inherit (config) nix-bitcoin-services;
|
||||
dataDir = "/var/lib/onion-chef/";
|
||||
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
|
||||
dataDir = "/var/lib/onion-addresses/";
|
||||
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
|
||||
# wait until tor is up
|
||||
until ls -l /var/lib/tor/state; do sleep 1; done
|
||||
|
||||
@ -42,12 +43,12 @@ let
|
||||
}
|
||||
'';
|
||||
in {
|
||||
options.services.onion-chef = {
|
||||
options.nix-bitcoin.onionAddresses = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, the onion-chef service will be installed.
|
||||
If enabled, the onion-addresses service will be installed.
|
||||
'';
|
||||
};
|
||||
access = mkOption {
|
||||
@ -61,7 +62,7 @@ in {
|
||||
"operator" = [ "bitcoind" "clightning" ];
|
||||
};
|
||||
The onion hostnames can then be read from
|
||||
/var/lib/onion-chef/<user>.
|
||||
/var/lib/onion-addresses/<user>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -71,13 +72,13 @@ in {
|
||||
"d '${dataDir}' 0755 root root - -"
|
||||
];
|
||||
|
||||
systemd.services.onion-chef = {
|
||||
description = "Run onion-chef";
|
||||
systemd.services.onion-addresses = {
|
||||
description = "Run onion-addresses";
|
||||
wantedBy = [ "tor.service" ];
|
||||
bindsTo = [ "tor.service" ];
|
||||
after = [ "tor.service" ];
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
PrivateNetwork = "true"; # This service needs no network access
|
@ -124,7 +124,7 @@ in {
|
||||
qrencode
|
||||
];
|
||||
|
||||
services.onion-chef = {
|
||||
nix-bitcoin.onionAddresses = {
|
||||
enable = true;
|
||||
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
|
||||
};
|
||||
|
@ -5,14 +5,14 @@ with lib;
|
||||
let
|
||||
cfg = config.services.spark-wallet;
|
||||
inherit (config) nix-bitcoin-services;
|
||||
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
|
||||
onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []);
|
||||
|
||||
# Use wasabi rate provider because the default (bitstamp) doesn't accept
|
||||
# connections through Tor
|
||||
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}";
|
||||
startScript = ''
|
||||
${optionalString cfg.onion-service ''
|
||||
publicURL="--public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)"
|
||||
publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)"
|
||||
''}
|
||||
exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
|
||||
--ln-path '${config.services.clightning.networkDir}' \
|
||||
@ -72,19 +72,19 @@ in {
|
||||
}];
|
||||
version = 3;
|
||||
};
|
||||
services.onion-chef.enable = cfg.onion-service;
|
||||
services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
|
||||
nix-bitcoin.onionAddresses.enable = cfg.onion-service;
|
||||
nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
|
||||
systemd.services.spark-wallet = {
|
||||
description = "Run spark-wallet";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "clightning.service" ] ++ onion-chef-service;
|
||||
after = [ "clightning.service" ] ++ onion-chef-service;
|
||||
requires = [ "clightning.service" ] ++ onionAddressesService;
|
||||
after = [ "clightning.service" ] ++ onionAddressesService;
|
||||
script = startScript;
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
User = "spark-wallet";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-chef";
|
||||
ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses";
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP)
|
||||
|
@ -218,7 +218,7 @@ def _():
|
||||
|
||||
@test("secure-node")
|
||||
def _():
|
||||
assert_running("onion-chef")
|
||||
assert_running("onion-addresses")
|
||||
|
||||
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
|
||||
# to incomplete unit dependencies.
|
||||
|
Loading…
Reference in New Issue
Block a user