nodeinfo: Convert to module and allow alternative operator username

currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.

so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
This commit is contained in:
nixbitcoin 2020-05-03 16:42:53 +02:00
parent 95d230d1d6
commit 5d01ea7101
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
7 changed files with 86 additions and 75 deletions

View File

@ -6,7 +6,6 @@
./clightning.nix ./clightning.nix
./lightning-charge.nix ./lightning-charge.nix
./nanopos.nix ./nanopos.nix
./nix-bitcoin-webindex.nix
./liquid.nix ./liquid.nix
./spark-wallet.nix ./spark-wallet.nix
./electrs.nix ./electrs.nix

View File

@ -75,7 +75,7 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "nodeinfo.service" ]; after = [ "nodeinfo.service" ];
path = with pkgs; [ path = with pkgs; [
nix-bitcoin.nodeinfo config.programs.nodeinfo
config.services.clightning.cli config.services.clightning.cli
config.services.lnd.cli config.services.lnd.cli
jq jq

68
modules/nodeinfo.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
with lib;
let
operatorName = config.nix-bitcoin.operatorName;
script = pkgs.writeScriptBin "nodeinfo" ''
set -eo pipefail
BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)"
echo BITCOIND_ONION="$BITCOIND_ONION"
if systemctl is-active --quiet clightning; then
CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)"
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
echo CLIGHTNING_ID="$CLIGHTNING_ID"
fi
if systemctl is-active --quiet lnd; then
LND_NODEID=$(lncli getinfo | jq -r '.uris[0]')
echo LND_NODEID="$LND_NODEID"
fi
NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx
if [ -e "$NGINX_ONION_FILE" ]; then
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
echo NGINX_ONION="$NGINX_ONION"
fi
LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd
if [ -e "$LIQUIDD_ONION_FILE" ]; then
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
echo LIQUIDD_ONION="$LIQUIDD_ONION"
fi
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
fi
ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs
if [ -e "$ELECTRS_ONION_FILE" ]; then
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
echo ELECTRS_ONION="$ELECTRS_ONION"
fi
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
echo SSHD_ONION="$SSHD_ONION"
fi
'';
in {
options = {
programs.nodeinfo = mkOption {
readOnly = true;
default = script;
};
};
config = {
environment.systemPackages = [ script ];
};
}

View File

@ -5,12 +5,18 @@ with lib;
let let
cfg = config.services; cfg = config.services;
operatorName = config.nix-bitcoin.operatorName;
mkHiddenService = map: { mkHiddenService = map: {
map = [ map ]; map = [ map ];
version = 3; version = 3;
}; };
in { in {
imports = [ ../modules.nix ]; imports = [
../modules.nix
../nodeinfo.nix
../nix-bitcoin-webindex.nix
];
options = { options = {
services.clightning.onionport = mkOption { services.clightning.onionport = mkOption {
@ -18,12 +24,16 @@ in {
default = 9735; default = 9735;
description = "Port on which to listen for tor client connections."; description = "Port on which to listen for tor client connections.";
}; };
services.electrs.onionport = mkOption { services.electrs.onionport = mkOption {
type = types.ints.u16; type = types.ints.u16;
default = 50002; default = 50002;
description = "Port on which to listen for tor client connections."; description = "Port on which to listen for tor client connections.";
}; };
nix-bitcoin.operatorName = mkOption {
type = types.str;
default = "operator";
description = "Less-privileged user's name.";
};
}; };
config = { config = {
@ -111,11 +121,10 @@ in {
tor tor
jq jq
qrencode qrencode
nix-bitcoin.nodeinfo
]; ];
# Create user 'operator' which can access the node's services # Create operator user which can access the node's services
users.users.operator = { users.users.${operatorName} = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"systemd-journal" "systemd-journal"
@ -130,18 +139,18 @@ in {
}; };
# Give operator access to onion hostnames # Give operator access to onion hostnames
services.onion-chef.enable = true; services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
security.sudo.configFile = security.sudo.configFile =
(optionalString cfg.lnd.enable '' (optionalString cfg.lnd.enable ''
operator ALL=(lnd) NOPASSWD: ALL ${operatorName} ALL=(lnd) NOPASSWD: ALL
''); '');
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
systemd.services.get-vbox-nixops-client-key = systemd.services.get-vbox-nixops-client-key =
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) { mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
postStart = '' postStart = ''
cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.operator.home}" cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
''; '';
}; };
}; };

View File

@ -1,6 +1,5 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> {} }:
{ {
nodeinfo = pkgs.callPackage ./nodeinfo { };
lightning-charge = pkgs.callPackage ./lightning-charge { }; lightning-charge = pkgs.callPackage ./lightning-charge { };
nanopos = pkgs.callPackage ./nanopos { }; nanopos = pkgs.callPackage ./nanopos { };
spark-wallet = pkgs.callPackage ./spark-wallet { }; spark-wallet = pkgs.callPackage ./spark-wallet { };

View File

@ -1,15 +0,0 @@
{pkgs}:
with pkgs;
stdenv.mkDerivation {
name = "nodeinfo";
src = ./nodeinfo.sh;
unpackPhase = "true";
installPhase = ''
mkdir -p $out
mkdir -p $out/bin
cp $src $out/bin/nodeinfo
chmod +x $out/bin/nodeinfo
'';
}

View File

@ -1,49 +0,0 @@
set -e
set -o pipefail
BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
echo BITCOIND_ONION="$BITCOIND_ONION"
if systemctl is-active --quiet clightning; then
CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
echo CLIGHTNING_ID="$CLIGHTNING_ID"
fi
if systemctl is-active --quiet lnd; then
LND_NODEID=$(lncli getinfo | jq -r '.uris[0]')
echo LND_NODEID="$LND_NODEID"
fi
NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
if [ -e "$NGINX_ONION_FILE" ]; then
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
echo NGINX_ONION="$NGINX_ONION"
fi
LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
if [ -e "$LIQUIDD_ONION_FILE" ]; then
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
echo LIQUIDD_ONION="$LIQUIDD_ONION"
fi
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
fi
ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
if [ -e "$ELECTRS_ONION_FILE" ]; then
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
echo ELECTRS_ONION="$ELECTRS_ONION"
fi
SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
echo SSHD_ONION="$SSHD_ONION"
fi