Merge #113: Simplify clightning preStart

67a464d097 Mention problems with hardened kernel and NUCs in README (Jonas Nick)
7771a4c931 Refer to systemd man pages for hardening options (Jonas Nick)
a5e10a82d8 Simplify clightning preStart (Jonas Nick)

Pull request description:

  CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: aa726f29e499cc268b21cac8cd07617be591cfdaa89dd0495cb979ebd3e49cc01164af25924c554429a1d35d14167dea276f7d61877452b69f027143cc3eee97

modules/clightning.nix

@@ -79,12 +79,10 @@ in {
       after = [ "bitcoind.service" ];
       preStart = ''
         mkdir -m 0770 -p ${cfg.dataDir}
-        rm -f ${cfg.dataDir}/config
-        chown 'clightning:clightning' '${cfg.dataDir}'
         cp ${configFile} ${cfg.dataDir}/config
-        chown 'clightning:clightning' '${cfg.dataDir}/config'
-        chmod +w ${cfg.dataDir}/config
-        chmod o-rw ${cfg.dataDir}/config
+        chown -R 'clightning:clightning' '${cfg.dataDir}'
+        # give group read access to allow using lightning-cli
+        chmod u=rw,g=r,o= ${cfg.dataDir}/config
         # The RPC socket has to be removed otherwise we might have stale sockets
         rm -f ${cfg.dataDir}/lightning-rpc
         echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'

modules/nix-bitcoin-services.nix

@@ -1,3 +1,6 @@
+# See `man systemd.exec` and `man systemd.resource-control` for an explanation
+# of the various systemd options available through this module.
+
 { config, lib, pkgs, ... }:
 
 with lib;
@@ -42,6 +45,3 @@ in
     '';
   };
 }
-
-
-