services: use consistent layout

Use the following order of definitions for all services:
- assertions
- configuration of other services
- environment.systemPackages
- tmpfiles
- own service
- users
- secrets

modules/btcpayserver.nix

@@ -99,10 +99,19 @@ in {
     services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
     services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
-      "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
-    ];
+    services.bitcoind.rpc.users.btcpayserver = {
+      passwordHMACFromFile = true;
+      rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
+        "setban"
+        "generatetoaddress"
+        "getpeerinfo"
+      ];
+    };
+
+    services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
+      inherit (cfg.btcpayserver) user;
+      permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
+    };
 
     services.postgresql = {
       enable = true;
@@ -113,6 +122,11 @@ in {
       }];
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
+      "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
+    ];
+
     systemd.services.nbxplorer = let
       configFile = builtins.toFile "config" ''
         network=${config.services.bitcoind.network}
@@ -196,11 +210,6 @@ in {
       );
     }; in self;
 
-    services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
-      inherit (cfg.btcpayserver) user;
-      permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
-    };
-
     users.users.${cfg.nbxplorer.user} = {
       group = cfg.nbxplorer.group;
       extraGroups = [ "bitcoinrpc" ];
@@ -215,18 +224,12 @@ in {
     };
     users.groups.${cfg.btcpayserver.group} = {};
 
-    services.bitcoind.rpc.users.btcpayserver = {
-      passwordHMACFromFile = true;
-      rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
-        "setban"
-        "generatetoaddress"
-        "getpeerinfo"
-      ];
+    nix-bitcoin.secrets = {
+      bitcoin-rpcpassword-btcpayserver = {
+        user = "bitcoin";
+        group = "nbxplorer";
+      };
+      bitcoin-HMAC-btcpayserver.user = "bitcoin";
     };
-    nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = {
-      user = "bitcoin";
-      group = "nbxplorer";
-    };
-    nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin";
   };
 }

modules/clightning.nix

@@ -100,12 +100,6 @@ in {
     };
 
     environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ];
-    users.users.${cfg.user} = {
-        group = cfg.group;
-        extraGroups = [ "bitcoinrpc" ];
-    };
-    users.groups.${cfg.group} = {};
-    nix-bitcoin.operator.groups = [ cfg.group ];
 
     systemd.tmpfiles.rules = [
       "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
@@ -147,5 +141,12 @@ in {
         chmod g+x ${cfg.networkDir}
       '';
     };
+
+    users.users.${cfg.user} = {
+      group = cfg.group;
+      extraGroups = [ "bitcoinrpc" ];
+    };
+    users.groups.${cfg.group} = {};
+    nix-bitcoin.operator.groups = [ cfg.group ];
   };
 }

modules/hardware-wallets.nix

@@ -47,9 +47,11 @@ in {
         # Provides lsusb for debugging
         pkgs.usbutils
       ];
+
       users.groups.${cfg.group} = {};
       nix-bitcoin.operator.groups = [ cfg.group ];
     })
+
     (mkIf cfg.ledger {
       # Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
       # Don't use rules from nixpkgs because we want to use our own group.

modules/joinmarket-ob-watcher.nix

@@ -54,6 +54,7 @@ in {
   };
 
   config = mkIf cfg.enable {
+    # Joinmarket is Tor-only
     services.tor = {
       enable = true;
       client.enable = true;

modules/joinmarket.nix

@@ -141,30 +141,12 @@ in {
   };
 
   config = mkIf cfg.enable (mkMerge [{
-    services.bitcoind.enable = true;
-
-    environment.systemPackages = [
-      (hiPrio cfg.cli)
-    ];
-    users.users.${cfg.user} = {
-        group = cfg.group;
-        home = cfg.dataDir;
-        # Allow access to the tor control socket, needed for payjoin onion service creation
-        extraGroups = [ "tor" ];
-    };
-    users.groups.${cfg.group} = {};
-    nix-bitcoin.operator = {
-      groups = [ cfg.group ];
-      sudoUsers = [ cfg.group ];
+    services.bitcoind = {
+      enable = true;
+      disablewallet = false;
     };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-    ];
-
-    services.bitcoind.disablewallet = false;
-
-    # Joinmarket is TOR-only
+    # Joinmarket is Tor-only
     services.tor = {
       enable = true;
       client.enable = true;
@@ -172,6 +154,14 @@ in {
       controlSocket.enable = true;
     };
 
+    environment.systemPackages = [
+      (hiPrio cfg.cli)
+    ];
+
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.joinmarket = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
@@ -211,6 +201,18 @@ in {
       } // nbLib.allowTor;
     };
 
+    users.users.${cfg.user} = {
+      group = cfg.group;
+      home = cfg.dataDir;
+      # Allow access to the tor control socket, needed for payjoin onion service creation
+      extraGroups = [ "tor" ];
+    };
+    users.groups.${cfg.group} = {};
+    nix-bitcoin.operator = {
+      groups = [ cfg.group ];
+      sudoUsers = [ cfg.group ];
+    };
+
     nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
   }
 

modules/lnd.nix

@@ -150,9 +150,13 @@ in {
 
     services.bitcoind = {
       enable = true;
+
       # Increase rpc thread count due to reports that lightning implementations fail
       # under high bitcoind rpc load
       rpc.threads = 16;
+
+      zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
+      zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
     };
 
     environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
@@ -161,11 +165,6 @@ in {
       "d '${cfg.dataDir}' 0770 lnd lnd - -"
     ];
 
-    services.bitcoind = {
-      zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
-      zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
-    };
-
     systemd.services.lnd = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];

modules/recurring-donations.nix

@@ -75,12 +75,6 @@ in {
   config = mkIf cfg.enable {
     services.clightning.enable = true;
 
-    users.users.recurring-donations = {
-        group = "recurring-donations";
-        extraGroups = [ "clightning" ];
-    };
-    users.groups.recurring-donations = {};
-
     systemd.services.recurring-donations = {
       requires = [ "clightning.service" ];
       after = [ "clightning.service" ];
@@ -103,5 +97,11 @@ in {
       };
       wantedBy = [ "multi-user.target" ];
     };
+
+    users.users.recurring-donations = {
+      group = "recurring-donations";
+      extraGroups = [ "clightning" ];
+    };
+    users.groups.recurring-donations = {};
   };
 }