From 69826996131d2d9169cffc2eeb019b2f43a42a9c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 1 Feb 2021 22:53:22 +0100 Subject: [PATCH] services: use consistent layout Use the following order of definitions for all services: - assertions - configuration of other services - environment.systemPackages - tmpfiles - own service - users - secrets --- modules/btcpayserver.nix | 45 ++++++++++++++++-------------- modules/clightning.nix | 13 +++++---- modules/hardware-wallets.nix | 2 ++ modules/joinmarket-ob-watcher.nix | 1 + modules/joinmarket.nix | 46 ++++++++++++++++--------------- modules/lnd.nix | 9 +++--- modules/recurring-donations.nix | 12 ++++---- 7 files changed, 68 insertions(+), 60 deletions(-) diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index d501e11..a65b8fa 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -99,10 +99,19 @@ in { services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true; - systemd.tmpfiles.rules = [ - "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" - "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" - ]; + services.bitcoind.rpc.users.btcpayserver = { + passwordHMACFromFile = true; + rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ + "setban" + "generatetoaddress" + "getpeerinfo" + ]; + }; + + services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") { + inherit (cfg.btcpayserver) user; + permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}''; + }; services.postgresql = { enable = true; @@ -113,6 +122,11 @@ in { }]; }; + systemd.tmpfiles.rules = [ + "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" + "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" + ]; + systemd.services.nbxplorer = let configFile = builtins.toFile "config" '' network=${config.services.bitcoind.network} @@ -196,11 +210,6 @@ in { ); }; in self; - services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") { - inherit (cfg.btcpayserver) user; - permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}''; - }; - users.users.${cfg.nbxplorer.user} = { group = cfg.nbxplorer.group; extraGroups = [ "bitcoinrpc" ]; @@ -215,18 +224,12 @@ in { }; users.groups.${cfg.btcpayserver.group} = {}; - services.bitcoind.rpc.users.btcpayserver = { - passwordHMACFromFile = true; - rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ - "setban" - "generatetoaddress" - "getpeerinfo" - ]; + nix-bitcoin.secrets = { + bitcoin-rpcpassword-btcpayserver = { + user = "bitcoin"; + group = "nbxplorer"; + }; + bitcoin-HMAC-btcpayserver.user = "bitcoin"; }; - nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = { - user = "bitcoin"; - group = "nbxplorer"; - }; - nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin"; }; } diff --git a/modules/clightning.nix b/modules/clightning.nix index ffa765c..69c53aa 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -100,12 +100,6 @@ in { }; environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ]; - users.users.${cfg.user} = { - group = cfg.group; - extraGroups = [ "bitcoinrpc" ]; - }; - users.groups.${cfg.group} = {}; - nix-bitcoin.operator.groups = [ cfg.group ]; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" @@ -147,5 +141,12 @@ in { chmod g+x ${cfg.networkDir} ''; }; + + users.users.${cfg.user} = { + group = cfg.group; + extraGroups = [ "bitcoinrpc" ]; + }; + users.groups.${cfg.group} = {}; + nix-bitcoin.operator.groups = [ cfg.group ]; }; } diff --git a/modules/hardware-wallets.nix b/modules/hardware-wallets.nix index 92a7a22..b2e9352 100644 --- a/modules/hardware-wallets.nix +++ b/modules/hardware-wallets.nix @@ -47,9 +47,11 @@ in { # Provides lsusb for debugging pkgs.usbutils ]; + users.groups.${cfg.group} = {}; nix-bitcoin.operator.groups = [ cfg.group ]; }) + (mkIf cfg.ledger { # Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh # Don't use rules from nixpkgs because we want to use our own group. diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix index c56bb6c..62f670b 100644 --- a/modules/joinmarket-ob-watcher.nix +++ b/modules/joinmarket-ob-watcher.nix @@ -54,6 +54,7 @@ in { }; config = mkIf cfg.enable { + # Joinmarket is Tor-only services.tor = { enable = true; client.enable = true; diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 53e1ea8..e59ce69 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -141,30 +141,12 @@ in { }; config = mkIf cfg.enable (mkMerge [{ - services.bitcoind.enable = true; - - environment.systemPackages = [ - (hiPrio cfg.cli) - ]; - users.users.${cfg.user} = { - group = cfg.group; - home = cfg.dataDir; - # Allow access to the tor control socket, needed for payjoin onion service creation - extraGroups = [ "tor" ]; - }; - users.groups.${cfg.group} = {}; - nix-bitcoin.operator = { - groups = [ cfg.group ]; - sudoUsers = [ cfg.group ]; + services.bitcoind = { + enable = true; + disablewallet = false; }; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" - ]; - - services.bitcoind.disablewallet = false; - - # Joinmarket is TOR-only + # Joinmarket is Tor-only services.tor = { enable = true; client.enable = true; @@ -172,6 +154,14 @@ in { controlSocket.enable = true; }; + environment.systemPackages = [ + (hiPrio cfg.cli) + ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.joinmarket = { wantedBy = [ "multi-user.target" ]; requires = [ "bitcoind.service" ]; @@ -211,6 +201,18 @@ in { } // nbLib.allowTor; }; + users.users.${cfg.user} = { + group = cfg.group; + home = cfg.dataDir; + # Allow access to the tor control socket, needed for payjoin onion service creation + extraGroups = [ "tor" ]; + }; + users.groups.${cfg.group} = {}; + nix-bitcoin.operator = { + groups = [ cfg.group ]; + sudoUsers = [ cfg.group ]; + }; + nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; } diff --git a/modules/lnd.nix b/modules/lnd.nix index 36b7089..bff7d4a 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -150,9 +150,13 @@ in { services.bitcoind = { enable = true; + # Increase rpc thread count due to reports that lightning implementations fail # under high bitcoind rpc load rpc.threads = 16; + + zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332"; + zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333"; }; environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; @@ -161,11 +165,6 @@ in { "d '${cfg.dataDir}' 0770 lnd lnd - -" ]; - services.bitcoind = { - zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332"; - zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333"; - }; - systemd.services.lnd = { wantedBy = [ "multi-user.target" ]; requires = [ "bitcoind.service" ]; diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 830bf33..f1fa533 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -75,12 +75,6 @@ in { config = mkIf cfg.enable { services.clightning.enable = true; - users.users.recurring-donations = { - group = "recurring-donations"; - extraGroups = [ "clightning" ]; - }; - users.groups.recurring-donations = {}; - systemd.services.recurring-donations = { requires = [ "clightning.service" ]; after = [ "clightning.service" ]; @@ -103,5 +97,11 @@ in { }; wantedBy = [ "multi-user.target" ]; }; + + users.users.recurring-donations = { + group = "recurring-donations"; + extraGroups = [ "clightning" ]; + }; + users.groups.recurring-donations = {}; }; }