liquidd: add netns

- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service

modules/liquid.nix

@@ -15,6 +15,7 @@ let
     ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}
 
     # Connection options
+    ${optionalString cfg.listen "bind=${cfg.bind}"}
     ${optionalString (cfg.port != null) "port=${toString cfg.port}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     listen=${if cfg.listen then "1" else "0"}
@@ -25,8 +26,11 @@ let
       (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}")
       (attrValues cfg.rpc.users)
     }
+    ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
+    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
     ${optionalString (cfg.rpcuser != null) "rpcuser=${cfg.rpcuser}"}
     ${optionalString (cfg.rpcpassword != null) "rpcpassword=${cfg.rpcpassword}"}
+    ${optionalString (cfg.mainchainrpchost != null) "mainchainrpchost=${cfg.mainchainrpchost}"}
 
     # Extra config options (from liquidd nixos service)
     ${cfg.extraConfig}
@@ -80,6 +84,13 @@ in {
         default = "/var/lib/liquidd";
         description = "The data directory for liquidd.";
       };
+      bind = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = ''
+          Bind to given address and always listen on it.
+        '';
+      };
 
       user = mkOption {
         type = types.str;
@@ -111,6 +122,20 @@ in {
         };
       };
 
+      rpcbind = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1" ];
+        description = ''
+          Bind to given address to listen for JSON-RPC connections.
+        '';
+      };
+      rpcallowip = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1" ];
+        description = ''
+          Allow JSON-RPC connections from specified source.
+        '';
+      };
       rpcuser = mkOption {
           type = types.nullOr types.str;
           default = null;
@@ -121,6 +146,14 @@ in {
           default = null;
           description = "Password for JSON-RPC connections";
       };
+      mainchainrpchost = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          The address which the daemon will try to connect to the trusted
+          mainchain daemon to validate peg-ins.
+        '';
+      };
 
       testnet = mkOption {
         type = types.bool;

modules/netns-isolation.nix

@@ -96,6 +96,10 @@ in {
           id = 14;
           connections = [ "bitcoind" ];
         };
+        liquidd = {
+          id = 15;
+          connections = [ "bitcoind" ];
+        };
       };
 
       systemd.services = {
@@ -215,6 +219,21 @@ in {
         '';
       };
 
+      # liquidd: Custom netns configs
+      services.liquidd = mkIf config.services.liquidd.enable {
+        bind = netns.liquidd.address;
+        rpcbind = [
+          "${netns.liquidd.address}"
+          "127.0.0.1"
+        ];
+        rpcallowip = [
+          "127.0.0.1"
+        ] ++ lib.lists.concatMap (s: [
+          "${netns.${s}.address}"
+        ]) netns.liquidd.availableNetns;
+        mainchainrpchost = netns.bitcoind.address;
+      };
+
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {

modules/presets/secure-node.nix

@@ -107,7 +107,7 @@ in {
       enforceTor = true;
       port = 7042;
     };
-    services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; };
+    services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.bind; };
 
     # electrs
     services.electrs = {