rename onion-chef -> nix-bitcoin.onionAddresses

This clarifies its function.
This commit is contained in:
Erik Arvstedt 2021-01-14 13:24:10 +01:00
parent 55073eee70
commit 5c6977b006
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
8 changed files with 42 additions and 41 deletions

View File

@ -6,7 +6,7 @@ let
cfg = config.services.clightning;
inherit (config) nix-bitcoin-services;
nbPkgs = config.nix-bitcoin.pkgs;
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest";
configFile = pkgs.writeText "config" ''
network=${network}
@ -108,13 +108,13 @@ in {
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
];
services.onion-chef.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
nix-bitcoin.onionAddresses.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
systemd.services.clightning = {
description = "Run clightningd";
path = [ nbPkgs.bitcoind ];
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ] ++ onion-chef-service;
after = [ "bitcoind.service" ] ++ onion-chef-service;
requires = [ "bitcoind.service" ] ++ onionAddressesService;
after = [ "bitcoind.service" ] ++ onionAddressesService;
preStart = ''
cp ${configFile} ${cfg.dataDir}/config
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
@ -122,7 +122,7 @@ in {
rm -f ${cfg.networkDir}/lightning-rpc
chmod 640 ${cfg.dataDir}/config
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config'
${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"}
${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-addresses/clightning/clightning) >> '${cfg.dataDir}/config'"}
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";

View File

@ -9,7 +9,7 @@ let
bitcoind = config.services.bitcoind;
bitcoindRpcAddress = bitcoind.rpc.address;
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}";
configFile = pkgs.writeText "lnd.conf" ''
datadir=${cfg.dataDir}
@ -165,16 +165,16 @@ in {
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
};
services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
nix-bitcoin.onionAddresses.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
systemd.services.lnd = {
description = "Run LND";
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ] ++ onion-chef-service;
after = [ "bitcoind.service" ] ++ onion-chef-service;
requires = [ "bitcoind.service" ] ++ onionAddressesService;
after = [ "bitcoind.service" ] ++ onionAddressesService;
preStart = ''
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf'
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-addresses/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons

View File

@ -24,9 +24,9 @@ with lib;
# Support features
./versioning.nix
./security.nix
./onion-addresses.nix
./netns-isolation.nix
./backups.nix
./onion-chef.nix
];
disabledModules = [ "services/networking/bitcoind.nix" ];

View File

@ -7,12 +7,12 @@ let
script = pkgs.writeScriptBin "nodeinfo" ''
set -eo pipefail
BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)"
BITCOIND_ONION="$(cat /var/lib/onion-addresses/${operatorName}/bitcoind)"
echo BITCOIND_ONION="$BITCOIND_ONION"
if systemctl is-active --quiet clightning; then
CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)"
CLIGHTNING_ONION="$(cat /var/lib/onion-addresses/${operatorName}/clightning)"
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
@ -24,37 +24,37 @@ let
echo LND_NODEID="$LND_NODEID"
fi
NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx
NGINX_ONION_FILE=/var/lib/onion-addresses/${operatorName}/nginx
if [ -e "$NGINX_ONION_FILE" ]; then
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
echo NGINX_ONION="$NGINX_ONION"
fi
LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd
LIQUIDD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/liquidd
if [ -e "$LIQUIDD_ONION_FILE" ]; then
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
echo LIQUIDD_ONION="$LIQUIDD_ONION"
fi
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet
SPARKWALLET_ONION_FILE=/var/lib/onion-addresses/${operatorName}/spark-wallet
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
fi
ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs
ELECTRS_ONION_FILE=/var/lib/onion-addresses/${operatorName}/electrs
if [ -e "$ELECTRS_ONION_FILE" ]; then
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
echo ELECTRS_ONION="$ELECTRS_ONION"
fi
BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver
BTCPAYSERVER_ONION_FILE=/var/lib/onion-addresses/${operatorName}/btcpayserver
if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
fi
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
SSHD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/sshd
if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
echo SSHD_ONION="$SSHD_ONION"

View File

@ -1,17 +1,18 @@
# The onion chef module allows unprivileged users to read onion hostnames.
# By default the onion hostnames in /var/lib/tor/onion are only readable by the
# tor user. The onion chef copies the onion hostnames into into
# /var/lib/onion-chef and sets permissions according to the access option.
# This module enables unprivileged users to read onion addresses.
# By default, onion addresses in /var/lib/tor/onion are only readable by the
# tor user.
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
# and sets permissions according to option 'access'.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.onion-chef;
cfg = config.nix-bitcoin.onionAddresses;
inherit (config) nix-bitcoin-services;
dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
dataDir = "/var/lib/onion-addresses/";
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
# wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done
@ -42,12 +43,12 @@ let
}
'';
in {
options.services.onion-chef = {
options.nix-bitcoin.onionAddresses = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the onion-chef service will be installed.
If enabled, the onion-addresses service will be installed.
'';
};
access = mkOption {
@ -61,7 +62,7 @@ in {
"operator" = [ "bitcoind" "clightning" ];
};
The onion hostnames can then be read from
/var/lib/onion-chef/<user>.
/var/lib/onion-addresses/<user>.
'';
};
};
@ -71,13 +72,13 @@ in {
"d '${dataDir}' 0755 root root - -"
];
systemd.services.onion-chef = {
description = "Run onion-chef";
systemd.services.onion-addresses = {
description = "Run onion-addresses";
wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
Type = "oneshot";
RemainAfterExit = true;
PrivateNetwork = "true"; # This service needs no network access

View File

@ -124,7 +124,7 @@ in {
qrencode
];
services.onion-chef = {
nix-bitcoin.onionAddresses = {
enable = true;
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
};

View File

@ -5,14 +5,14 @@ with lib;
let
cfg = config.services.spark-wallet;
inherit (config) nix-bitcoin-services;
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []);
# Use wasabi rate provider because the default (bitstamp) doesn't accept
# connections through Tor
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}";
startScript = ''
${optionalString cfg.onion-service ''
publicURL="--public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)"
publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)"
''}
exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
--ln-path '${config.services.clightning.networkDir}' \
@ -72,19 +72,19 @@ in {
}];
version = 3;
};
services.onion-chef.enable = cfg.onion-service;
services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
nix-bitcoin.onionAddresses.enable = cfg.onion-service;
nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
systemd.services.spark-wallet = {
description = "Run spark-wallet";
wantedBy = [ "multi-user.target" ];
requires = [ "clightning.service" ] ++ onion-chef-service;
after = [ "clightning.service" ] ++ onion-chef-service;
requires = [ "clightning.service" ] ++ onionAddressesService;
after = [ "clightning.service" ] ++ onionAddressesService;
script = startScript;
serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "spark-wallet";
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-chef";
ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP)

View File

@ -218,7 +218,7 @@ def _():
@test("secure-node")
def _():
assert_running("onion-chef")
assert_running("onion-addresses")
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
# to incomplete unit dependencies.