From 5d01ea7101a94a4ceb8bdcaabe60f66652253a5a Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Sun, 3 May 2020 16:42:53 +0200 Subject: [PATCH] nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. --- modules/modules.nix | 1 - modules/nix-bitcoin-webindex.nix | 2 +- modules/nodeinfo.nix | 68 ++++++++++++++++++++++++++++++++ modules/presets/secure-node.nix | 25 ++++++++---- pkgs/default.nix | 1 - pkgs/nodeinfo/default.nix | 15 ------- pkgs/nodeinfo/nodeinfo.sh | 49 ----------------------- 7 files changed, 86 insertions(+), 75 deletions(-) create mode 100644 modules/nodeinfo.nix delete mode 100644 pkgs/nodeinfo/default.nix delete mode 100644 pkgs/nodeinfo/nodeinfo.sh diff --git a/modules/modules.nix b/modules/modules.nix index 7ab9e99..4c6d291 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -6,7 +6,6 @@ ./clightning.nix ./lightning-charge.nix ./nanopos.nix - ./nix-bitcoin-webindex.nix ./liquid.nix ./spark-wallet.nix ./electrs.nix diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix index 3371438..6eb8a02 100644 --- a/modules/nix-bitcoin-webindex.nix +++ b/modules/nix-bitcoin-webindex.nix @@ -75,7 +75,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "nodeinfo.service" ]; path = with pkgs; [ - nix-bitcoin.nodeinfo + config.programs.nodeinfo config.services.clightning.cli config.services.lnd.cli jq diff --git a/modules/nodeinfo.nix b/modules/nodeinfo.nix new file mode 100644 index 0000000..a677620 --- /dev/null +++ b/modules/nodeinfo.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + operatorName = config.nix-bitcoin.operatorName; + script = pkgs.writeScriptBin "nodeinfo" '' + set -eo pipefail + + BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)" + echo BITCOIND_ONION="$BITCOIND_ONION" + + if systemctl is-active --quiet clightning; then + CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id') + CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)" + CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735" + echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID" + echo CLIGHTNING_ONION="$CLIGHTNING_ONION" + echo CLIGHTNING_ID="$CLIGHTNING_ID" + fi + + if systemctl is-active --quiet lnd; then + LND_NODEID=$(lncli getinfo | jq -r '.uris[0]') + echo LND_NODEID="$LND_NODEID" + fi + + NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx + if [ -e "$NGINX_ONION_FILE" ]; then + NGINX_ONION="$(cat $NGINX_ONION_FILE)" + echo NGINX_ONION="$NGINX_ONION" + fi + + LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd + if [ -e "$LIQUIDD_ONION_FILE" ]; then + LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)" + echo LIQUIDD_ONION="$LIQUIDD_ONION" + fi + + SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet + if [ -e "$SPARKWALLET_ONION_FILE" ]; then + SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)" + echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION" + fi + + ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs + if [ -e "$ELECTRS_ONION_FILE" ]; then + ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)" + echo ELECTRS_ONION="$ELECTRS_ONION" + fi + + SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd + if [ -e "$SSHD_ONION_FILE" ]; then + SSHD_ONION="$(cat $SSHD_ONION_FILE)" + echo SSHD_ONION="$SSHD_ONION" + fi + ''; +in { + options = { + programs.nodeinfo = mkOption { + readOnly = true; + default = script; + }; + }; + + config = { + environment.systemPackages = [ script ]; + }; +} diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index ebde6a9..d010c0f 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -5,12 +5,18 @@ with lib; let cfg = config.services; + operatorName = config.nix-bitcoin.operatorName; + mkHiddenService = map: { map = [ map ]; version = 3; }; in { - imports = [ ../modules.nix ]; + imports = [ + ../modules.nix + ../nodeinfo.nix + ../nix-bitcoin-webindex.nix + ]; options = { services.clightning.onionport = mkOption { @@ -18,12 +24,16 @@ in { default = 9735; description = "Port on which to listen for tor client connections."; }; - services.electrs.onionport = mkOption { type = types.ints.u16; default = 50002; description = "Port on which to listen for tor client connections."; }; + nix-bitcoin.operatorName = mkOption { + type = types.str; + default = "operator"; + description = "Less-privileged user's name."; + }; }; config = { @@ -111,11 +121,10 @@ in { tor jq qrencode - nix-bitcoin.nodeinfo ]; - # Create user 'operator' which can access the node's services - users.users.operator = { + # Create operator user which can access the node's services + users.users.${operatorName} = { isNormalUser = true; extraGroups = [ "systemd-journal" @@ -130,18 +139,18 @@ in { }; # Give operator access to onion hostnames services.onion-chef.enable = true; - services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; + services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; security.sudo.configFile = (optionalString cfg.lnd.enable '' - operator ALL=(lnd) NOPASSWD: ALL + ${operatorName} ALL=(lnd) NOPASSWD: ALL ''); # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments systemd.services.get-vbox-nixops-client-key = mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) { postStart = '' - cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.operator.home}" + cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}" ''; }; }; diff --git a/pkgs/default.nix b/pkgs/default.nix index 2d39c94..ee95b3e 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,6 +1,5 @@ { pkgs ? import {} }: { - nodeinfo = pkgs.callPackage ./nodeinfo { }; lightning-charge = pkgs.callPackage ./lightning-charge { }; nanopos = pkgs.callPackage ./nanopos { }; spark-wallet = pkgs.callPackage ./spark-wallet { }; diff --git a/pkgs/nodeinfo/default.nix b/pkgs/nodeinfo/default.nix deleted file mode 100644 index 37ea75f..0000000 --- a/pkgs/nodeinfo/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{pkgs}: - -with pkgs; -stdenv.mkDerivation { - name = "nodeinfo"; - src = ./nodeinfo.sh; - - unpackPhase = "true"; - installPhase = '' - mkdir -p $out - mkdir -p $out/bin - cp $src $out/bin/nodeinfo - chmod +x $out/bin/nodeinfo - ''; -} diff --git a/pkgs/nodeinfo/nodeinfo.sh b/pkgs/nodeinfo/nodeinfo.sh deleted file mode 100644 index bb6dcdb..0000000 --- a/pkgs/nodeinfo/nodeinfo.sh +++ /dev/null @@ -1,49 +0,0 @@ -set -e -set -o pipefail - -BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)" -echo BITCOIND_ONION="$BITCOIND_ONION" - -if systemctl is-active --quiet clightning; then - CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id') - CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)" - CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735" - echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID" - echo CLIGHTNING_ONION="$CLIGHTNING_ONION" - echo CLIGHTNING_ID="$CLIGHTNING_ID" -fi - -if systemctl is-active --quiet lnd; then - LND_NODEID=$(lncli getinfo | jq -r '.uris[0]') - echo LND_NODEID="$LND_NODEID" -fi - -NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx -if [ -e "$NGINX_ONION_FILE" ]; then - NGINX_ONION="$(cat $NGINX_ONION_FILE)" - echo NGINX_ONION="$NGINX_ONION" -fi - -LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd -if [ -e "$LIQUIDD_ONION_FILE" ]; then - LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)" - echo LIQUIDD_ONION="$LIQUIDD_ONION" -fi - -SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet -if [ -e "$SPARKWALLET_ONION_FILE" ]; then - SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)" - echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION" -fi - -ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs -if [ -e "$ELECTRS_ONION_FILE" ]; then - ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)" - echo ELECTRS_ONION="$ELECTRS_ONION" -fi - -SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd -if [ -e "$SSHD_ONION_FILE" ]; then - SSHD_ONION="$(cat $SSHD_ONION_FILE)" - echo SSHD_ONION="$SSHD_ONION" -fi