greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rename onion-chef -> nix-bitcoin.onionAddresses

Browse Source 
This clarifies its function.
This commit is contained in:
Erik Arvstedt 2021-01-14 13:24:10 +01:00
parent 55073eee70
commit 5c6977b006
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
8 changed files with 42 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/clightning.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.clightning; cfg = config.services.clightning;
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
nbPkgs = config.nix-bitcoin.pkgs; nbPkgs = config.nix-bitcoin.pkgs;
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []); onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest"; network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest";
configFile = pkgs.writeText "config" '' configFile = pkgs.writeText "config" ''
network=${network} network=${network}
@ -108,13 +108,13 @@ in {
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
]; ];
services.onion-chef.access.clightning = if cfg.announce-tor then [ "clightning" ] else []; nix-bitcoin.onionAddresses.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
systemd.services.clightning = { systemd.services.clightning = {
description = "Run clightningd"; description = "Run clightningd";
path = [ nbPkgs.bitcoind ]; path = [ nbPkgs.bitcoind ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ] ++ onion-chef-service; requires = [ "bitcoind.service" ] ++ onionAddressesService;
after = [ "bitcoind.service" ] ++ onion-chef-service; after = [ "bitcoind.service" ] ++ onionAddressesService;
preStart = '' preStart = ''
cp ${configFile} ${cfg.dataDir}/config cp ${configFile} ${cfg.dataDir}/config
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
@ -122,7 +122,7 @@ in {
rm -f ${cfg.networkDir}/lightning-rpc rm -f ${cfg.networkDir}/lightning-rpc
chmod 640 ${cfg.dataDir}/config chmod 640 ${cfg.dataDir}/config
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config' echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config'
${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"} ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-addresses/clightning/clightning) >> '${cfg.dataDir}/config'"}
''; '';
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";

10
modules/lnd.nix
View File

@ -9,7 +9,7 @@ let
bitcoind = config.services.bitcoind; bitcoind = config.services.bitcoind;
bitcoindRpcAddress = bitcoind.rpc.address; bitcoindRpcAddress = bitcoind.rpc.address;
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []); onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}"; networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}";
configFile = pkgs.writeText "lnd.conf" '' configFile = pkgs.writeText "lnd.conf" ''
datadir=${cfg.dataDir} datadir=${cfg.dataDir}
@ -165,16 +165,16 @@ in {
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333"; zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
}; };
services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else []; nix-bitcoin.onionAddresses.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
systemd.services.lnd = { systemd.services.lnd = {
description = "Run LND"; description = "Run LND";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ] ++ onion-chef-service; requires = [ "bitcoind.service" ] ++ onionAddressesService;
after = [ "bitcoind.service" ] ++ onion-chef-service; after = [ "bitcoind.service" ] ++ onionAddressesService;
preStart = '' preStart = ''
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf' install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf' echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf'
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"} ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-addresses/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
''; '';
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons RuntimeDirectory = "lnd"; # Only used to store custom macaroons

2
modules/modules.nix
View File

@ -24,9 +24,9 @@ with lib;
# Support features # Support features
./versioning.nix ./versioning.nix
./security.nix ./security.nix
./onion-addresses.nix
./netns-isolation.nix ./netns-isolation.nix
./backups.nix ./backups.nix
./onion-chef.nix
]; ];
disabledModules = [ "services/networking/bitcoind.nix" ]; disabledModules = [ "services/networking/bitcoind.nix" ];

16
modules/nodeinfo.nix
View File

@ -7,12 +7,12 @@ let
script = pkgs.writeScriptBin "nodeinfo" '' script = pkgs.writeScriptBin "nodeinfo" ''
set -eo pipefail set -eo pipefail
BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)" BITCOIND_ONION="$(cat /var/lib/onion-addresses/${operatorName}/bitcoind)"
echo BITCOIND_ONION="$BITCOIND_ONION" echo BITCOIND_ONION="$BITCOIND_ONION"
if systemctl is-active --quiet clightning; then if systemctl is-active --quiet clightning; then
CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id') CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)" CLIGHTNING_ONION="$(cat /var/lib/onion-addresses/${operatorName}/clightning)"
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735" CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID" echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
echo CLIGHTNING_ONION="$CLIGHTNING_ONION" echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
@ -24,37 +24,37 @@ let
echo LND_NODEID="$LND_NODEID" echo LND_NODEID="$LND_NODEID"
fi fi
NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx NGINX_ONION_FILE=/var/lib/onion-addresses/${operatorName}/nginx
if [ -e "$NGINX_ONION_FILE" ]; then if [ -e "$NGINX_ONION_FILE" ]; then
NGINX_ONION="$(cat $NGINX_ONION_FILE)" NGINX_ONION="$(cat $NGINX_ONION_FILE)"
echo NGINX_ONION="$NGINX_ONION" echo NGINX_ONION="$NGINX_ONION"
fi fi
LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd LIQUIDD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/liquidd
if [ -e "$LIQUIDD_ONION_FILE" ]; then if [ -e "$LIQUIDD_ONION_FILE" ]; then
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)" LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
echo LIQUIDD_ONION="$LIQUIDD_ONION" echo LIQUIDD_ONION="$LIQUIDD_ONION"
fi fi
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet SPARKWALLET_ONION_FILE=/var/lib/onion-addresses/${operatorName}/spark-wallet
if [ -e "$SPARKWALLET_ONION_FILE" ]; then if [ -e "$SPARKWALLET_ONION_FILE" ]; then
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)" SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION" echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
fi fi
ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs ELECTRS_ONION_FILE=/var/lib/onion-addresses/${operatorName}/electrs
if [ -e "$ELECTRS_ONION_FILE" ]; then if [ -e "$ELECTRS_ONION_FILE" ]; then
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)" ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
echo ELECTRS_ONION="$ELECTRS_ONION" echo ELECTRS_ONION="$ELECTRS_ONION"
fi fi
BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver BTCPAYSERVER_ONION_FILE=/var/lib/onion-addresses/${operatorName}/btcpayserver
if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)" BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION" echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
fi fi
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd SSHD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/sshd
if [ -e "$SSHD_ONION_FILE" ]; then if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)" SSHD_ONION="$(cat $SSHD_ONION_FILE)"
echo SSHD_ONION="$SSHD_ONION" echo SSHD_ONION="$SSHD_ONION"

27
modules/onion-chef.nix → modules/onion-addresses.nix
View File

@ -1,17 +1,18 @@
# The onion chef module allows unprivileged users to read onion hostnames. # This module enables unprivileged users to read onion addresses.
# By default the onion hostnames in /var/lib/tor/onion are only readable by the # By default, onion addresses in /var/lib/tor/onion are only readable by the
# tor user. The onion chef copies the onion hostnames into into # tor user.
# /var/lib/onion-chef and sets permissions according to the access option. # The included service copies onion addresses to /var/lib/onion-addresses/<user>/
# and sets permissions according to option 'access'.
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.onion-chef; cfg = config.nix-bitcoin.onionAddresses;
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
dataDir = "/var/lib/onion-chef/"; dataDir = "/var/lib/onion-addresses/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" '' onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
# wait until tor is up # wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done until ls -l /var/lib/tor/state; do sleep 1; done
@ -42,12 +43,12 @@ let
} }
''; '';
in { in {
options.services.onion-chef = { options.nix-bitcoin.onionAddresses = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
If enabled, the onion-chef service will be installed. If enabled, the onion-addresses service will be installed.
''; '';
}; };
access = mkOption { access = mkOption {
@ -61,7 +62,7 @@ in {
"operator" = [ "bitcoind" "clightning" ]; "operator" = [ "bitcoind" "clightning" ];
}; };
The onion hostnames can then be read from The onion hostnames can then be read from
/var/lib/onion-chef/<user>. /var/lib/onion-addresses/<user>.
''; '';
}; };
}; };
@ -71,13 +72,13 @@ in {
"d '${dataDir}' 0755 root root - -" "d '${dataDir}' 0755 root root - -"
]; ];
systemd.services.onion-chef = { systemd.services.onion-addresses = {
description = "Run onion-chef"; description = "Run onion-addresses";
wantedBy = [ "tor.service" ]; wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ]; bindsTo = [ "tor.service" ];
after = [ "tor.service" ]; after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
PrivateNetwork = "true"; # This service needs no network access PrivateNetwork = "true"; # This service needs no network access

2
modules/presets/secure-node.nix
View File

@ -124,7 +124,7 @@ in {
qrencode qrencode
]; ];
services.onion-chef = { nix-bitcoin.onionAddresses = {
enable = true; enable = true;
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ]; access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
}; };

14
modules/spark-wallet.nix
View File

@ -5,14 +5,14 @@ with lib;
let let
cfg = config.services.spark-wallet; cfg = config.services.spark-wallet;
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []);
# Use wasabi rate provider because the default (bitstamp) doesn't accept # Use wasabi rate provider because the default (bitstamp) doesn't accept
# connections through Tor # connections through Tor
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}"; torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}";
startScript = '' startScript = ''
${optionalString cfg.onion-service '' ${optionalString cfg.onion-service ''
publicURL="--public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)" publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)"
''} ''}
exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \ exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
--ln-path '${config.services.clightning.networkDir}' \ --ln-path '${config.services.clightning.networkDir}' \
@ -72,19 +72,19 @@ in {
}]; }];
version = 3; version = 3;
}; };
services.onion-chef.enable = cfg.onion-service; nix-bitcoin.onionAddresses.enable = cfg.onion-service;
services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else []; nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
systemd.services.spark-wallet = { systemd.services.spark-wallet = {
description = "Run spark-wallet"; description = "Run spark-wallet";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "clightning.service" ] ++ onion-chef-service; requires = [ "clightning.service" ] ++ onionAddressesService;
after = [ "clightning.service" ] ++ onion-chef-service; after = [ "clightning.service" ] ++ onionAddressesService;
script = startScript; script = startScript;
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "spark-wallet"; User = "spark-wallet";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-chef"; ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP) else nix-bitcoin-services.allowAnyIP)

2
test/tests.py
View File

@ -218,7 +218,7 @@ def _():
@test("secure-node") @test("secure-node")
def _(): def _():
assert_running("onion-chef") assert_running("onion-addresses")
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due # FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
# to incomplete unit dependencies. # to incomplete unit dependencies.