services: use consistent layout
Use the following order of definitions for all services: - assertions - configuration of other services - environment.systemPackages - tmpfiles - own service - users - secrets
This commit is contained in:
parent
a43534dda0
commit
6982699613
@ -99,10 +99,19 @@ in {
|
|||||||
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
||||||
services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
|
services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
services.bitcoind.rpc.users.btcpayserver = {
|
||||||
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
passwordHMACFromFile = true;
|
||||||
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
||||||
];
|
"setban"
|
||||||
|
"generatetoaddress"
|
||||||
|
"getpeerinfo"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||||
|
inherit (cfg.btcpayserver) user;
|
||||||
|
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
||||||
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -113,6 +122,11 @@ in {
|
|||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
||||||
|
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
||||||
|
];
|
||||||
|
|
||||||
systemd.services.nbxplorer = let
|
systemd.services.nbxplorer = let
|
||||||
configFile = builtins.toFile "config" ''
|
configFile = builtins.toFile "config" ''
|
||||||
network=${config.services.bitcoind.network}
|
network=${config.services.bitcoind.network}
|
||||||
@ -196,11 +210,6 @@ in {
|
|||||||
);
|
);
|
||||||
}; in self;
|
}; in self;
|
||||||
|
|
||||||
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
|
||||||
inherit (cfg.btcpayserver) user;
|
|
||||||
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.${cfg.nbxplorer.user} = {
|
users.users.${cfg.nbxplorer.user} = {
|
||||||
group = cfg.nbxplorer.group;
|
group = cfg.nbxplorer.group;
|
||||||
extraGroups = [ "bitcoinrpc" ];
|
extraGroups = [ "bitcoinrpc" ];
|
||||||
@ -215,18 +224,12 @@ in {
|
|||||||
};
|
};
|
||||||
users.groups.${cfg.btcpayserver.group} = {};
|
users.groups.${cfg.btcpayserver.group} = {};
|
||||||
|
|
||||||
services.bitcoind.rpc.users.btcpayserver = {
|
nix-bitcoin.secrets = {
|
||||||
passwordHMACFromFile = true;
|
bitcoin-rpcpassword-btcpayserver = {
|
||||||
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
user = "bitcoin";
|
||||||
"setban"
|
group = "nbxplorer";
|
||||||
"generatetoaddress"
|
};
|
||||||
"getpeerinfo"
|
bitcoin-HMAC-btcpayserver.user = "bitcoin";
|
||||||
];
|
|
||||||
};
|
};
|
||||||
nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = {
|
|
||||||
user = "bitcoin";
|
|
||||||
group = "nbxplorer";
|
|
||||||
};
|
|
||||||
nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -100,12 +100,6 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ];
|
environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ];
|
||||||
users.users.${cfg.user} = {
|
|
||||||
group = cfg.group;
|
|
||||||
extraGroups = [ "bitcoinrpc" ];
|
|
||||||
};
|
|
||||||
users.groups.${cfg.group} = {};
|
|
||||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||||
@ -147,5 +141,12 @@ in {
|
|||||||
chmod g+x ${cfg.networkDir}
|
chmod g+x ${cfg.networkDir}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.${cfg.user} = {
|
||||||
|
group = cfg.group;
|
||||||
|
extraGroups = [ "bitcoinrpc" ];
|
||||||
|
};
|
||||||
|
users.groups.${cfg.group} = {};
|
||||||
|
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -47,9 +47,11 @@ in {
|
|||||||
# Provides lsusb for debugging
|
# Provides lsusb for debugging
|
||||||
pkgs.usbutils
|
pkgs.usbutils
|
||||||
];
|
];
|
||||||
|
|
||||||
users.groups.${cfg.group} = {};
|
users.groups.${cfg.group} = {};
|
||||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||||
})
|
})
|
||||||
|
|
||||||
(mkIf cfg.ledger {
|
(mkIf cfg.ledger {
|
||||||
# Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
|
# Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
|
||||||
# Don't use rules from nixpkgs because we want to use our own group.
|
# Don't use rules from nixpkgs because we want to use our own group.
|
||||||
|
@ -54,6 +54,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
# Joinmarket is Tor-only
|
||||||
services.tor = {
|
services.tor = {
|
||||||
enable = true;
|
enable = true;
|
||||||
client.enable = true;
|
client.enable = true;
|
||||||
|
@ -141,30 +141,12 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable (mkMerge [{
|
config = mkIf cfg.enable (mkMerge [{
|
||||||
services.bitcoind.enable = true;
|
services.bitcoind = {
|
||||||
|
enable = true;
|
||||||
environment.systemPackages = [
|
disablewallet = false;
|
||||||
(hiPrio cfg.cli)
|
|
||||||
];
|
|
||||||
users.users.${cfg.user} = {
|
|
||||||
group = cfg.group;
|
|
||||||
home = cfg.dataDir;
|
|
||||||
# Allow access to the tor control socket, needed for payjoin onion service creation
|
|
||||||
extraGroups = [ "tor" ];
|
|
||||||
};
|
|
||||||
users.groups.${cfg.group} = {};
|
|
||||||
nix-bitcoin.operator = {
|
|
||||||
groups = [ cfg.group ];
|
|
||||||
sudoUsers = [ cfg.group ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
# Joinmarket is Tor-only
|
||||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.bitcoind.disablewallet = false;
|
|
||||||
|
|
||||||
# Joinmarket is TOR-only
|
|
||||||
services.tor = {
|
services.tor = {
|
||||||
enable = true;
|
enable = true;
|
||||||
client.enable = true;
|
client.enable = true;
|
||||||
@ -172,6 +154,14 @@ in {
|
|||||||
controlSocket.enable = true;
|
controlSocket.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
(hiPrio cfg.cli)
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||||
|
];
|
||||||
|
|
||||||
systemd.services.joinmarket = {
|
systemd.services.joinmarket = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "bitcoind.service" ];
|
requires = [ "bitcoind.service" ];
|
||||||
@ -211,6 +201,18 @@ in {
|
|||||||
} // nbLib.allowTor;
|
} // nbLib.allowTor;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.${cfg.user} = {
|
||||||
|
group = cfg.group;
|
||||||
|
home = cfg.dataDir;
|
||||||
|
# Allow access to the tor control socket, needed for payjoin onion service creation
|
||||||
|
extraGroups = [ "tor" ];
|
||||||
|
};
|
||||||
|
users.groups.${cfg.group} = {};
|
||||||
|
nix-bitcoin.operator = {
|
||||||
|
groups = [ cfg.group ];
|
||||||
|
sudoUsers = [ cfg.group ];
|
||||||
|
};
|
||||||
|
|
||||||
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
|
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,9 +150,13 @@ in {
|
|||||||
|
|
||||||
services.bitcoind = {
|
services.bitcoind = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
# Increase rpc thread count due to reports that lightning implementations fail
|
# Increase rpc thread count due to reports that lightning implementations fail
|
||||||
# under high bitcoind rpc load
|
# under high bitcoind rpc load
|
||||||
rpc.threads = 16;
|
rpc.threads = 16;
|
||||||
|
|
||||||
|
zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
|
||||||
|
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
||||||
@ -161,11 +165,6 @@ in {
|
|||||||
"d '${cfg.dataDir}' 0770 lnd lnd - -"
|
"d '${cfg.dataDir}' 0770 lnd lnd - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.bitcoind = {
|
|
||||||
zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
|
|
||||||
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.lnd = {
|
systemd.services.lnd = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "bitcoind.service" ];
|
requires = [ "bitcoind.service" ];
|
||||||
|
@ -75,12 +75,6 @@ in {
|
|||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.clightning.enable = true;
|
services.clightning.enable = true;
|
||||||
|
|
||||||
users.users.recurring-donations = {
|
|
||||||
group = "recurring-donations";
|
|
||||||
extraGroups = [ "clightning" ];
|
|
||||||
};
|
|
||||||
users.groups.recurring-donations = {};
|
|
||||||
|
|
||||||
systemd.services.recurring-donations = {
|
systemd.services.recurring-donations = {
|
||||||
requires = [ "clightning.service" ];
|
requires = [ "clightning.service" ];
|
||||||
after = [ "clightning.service" ];
|
after = [ "clightning.service" ];
|
||||||
@ -103,5 +97,11 @@ in {
|
|||||||
};
|
};
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.recurring-donations = {
|
||||||
|
group = "recurring-donations";
|
||||||
|
extraGroups = [ "clightning" ];
|
||||||
|
};
|
||||||
|
users.groups.recurring-donations = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user