services: use consistent layout

Use the following order of definitions for all services:
- assertions
- configuration of other services
- environment.systemPackages
- tmpfiles
- own service
- users
- secrets
This commit is contained in:
Erik Arvstedt 2021-02-01 22:53:22 +01:00
parent a43534dda0
commit 6982699613
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
7 changed files with 68 additions and 60 deletions

View File

@ -99,10 +99,19 @@ in {
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true; services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
systemd.tmpfiles.rules = [ services.bitcoind.rpc.users.btcpayserver = {
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" passwordHMACFromFile = true;
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
]; "setban"
"generatetoaddress"
"getpeerinfo"
];
};
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -113,6 +122,11 @@ in {
}]; }];
}; };
systemd.tmpfiles.rules = [
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
];
systemd.services.nbxplorer = let systemd.services.nbxplorer = let
configFile = builtins.toFile "config" '' configFile = builtins.toFile "config" ''
network=${config.services.bitcoind.network} network=${config.services.bitcoind.network}
@ -196,11 +210,6 @@ in {
); );
}; in self; }; in self;
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
users.users.${cfg.nbxplorer.user} = { users.users.${cfg.nbxplorer.user} = {
group = cfg.nbxplorer.group; group = cfg.nbxplorer.group;
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
@ -215,18 +224,12 @@ in {
}; };
users.groups.${cfg.btcpayserver.group} = {}; users.groups.${cfg.btcpayserver.group} = {};
services.bitcoind.rpc.users.btcpayserver = { nix-bitcoin.secrets = {
passwordHMACFromFile = true; bitcoin-rpcpassword-btcpayserver = {
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ user = "bitcoin";
"setban" group = "nbxplorer";
"generatetoaddress" };
"getpeerinfo" bitcoin-HMAC-btcpayserver.user = "bitcoin";
];
}; };
nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = {
user = "bitcoin";
group = "nbxplorer";
};
nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin";
}; };
} }

View File

@ -100,12 +100,6 @@ in {
}; };
environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ]; environment.systemPackages = [ nbPkgs.clightning (hiPrio cfg.cli) ];
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
@ -147,5 +141,12 @@ in {
chmod g+x ${cfg.networkDir} chmod g+x ${cfg.networkDir}
''; '';
}; };
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
}; };
} }

View File

@ -47,9 +47,11 @@ in {
# Provides lsusb for debugging # Provides lsusb for debugging
pkgs.usbutils pkgs.usbutils
]; ];
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ]; nix-bitcoin.operator.groups = [ cfg.group ];
}) })
(mkIf cfg.ledger { (mkIf cfg.ledger {
# Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh # Ledger Nano S according to https://github.com/LedgerHQ/udev-rules/blob/master/add_udev_rules.sh
# Don't use rules from nixpkgs because we want to use our own group. # Don't use rules from nixpkgs because we want to use our own group.

View File

@ -54,6 +54,7 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Joinmarket is Tor-only
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;

View File

@ -141,30 +141,12 @@ in {
}; };
config = mkIf cfg.enable (mkMerge [{ config = mkIf cfg.enable (mkMerge [{
services.bitcoind.enable = true; services.bitcoind = {
enable = true;
environment.systemPackages = [ disablewallet = false;
(hiPrio cfg.cli)
];
users.users.${cfg.user} = {
group = cfg.group;
home = cfg.dataDir;
# Allow access to the tor control socket, needed for payjoin onion service creation
extraGroups = [ "tor" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator = {
groups = [ cfg.group ];
sudoUsers = [ cfg.group ];
}; };
systemd.tmpfiles.rules = [ # Joinmarket is Tor-only
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
];
services.bitcoind.disablewallet = false;
# Joinmarket is TOR-only
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;
@ -172,6 +154,14 @@ in {
controlSocket.enable = true; controlSocket.enable = true;
}; };
environment.systemPackages = [
(hiPrio cfg.cli)
];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
];
systemd.services.joinmarket = { systemd.services.joinmarket = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ]; requires = [ "bitcoind.service" ];
@ -211,6 +201,18 @@ in {
} // nbLib.allowTor; } // nbLib.allowTor;
}; };
users.users.${cfg.user} = {
group = cfg.group;
home = cfg.dataDir;
# Allow access to the tor control socket, needed for payjoin onion service creation
extraGroups = [ "tor" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator = {
groups = [ cfg.group ];
sudoUsers = [ cfg.group ];
};
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
} }

View File

@ -150,9 +150,13 @@ in {
services.bitcoind = { services.bitcoind = {
enable = true; enable = true;
# Increase rpc thread count due to reports that lightning implementations fail # Increase rpc thread count due to reports that lightning implementations fail
# under high bitcoind rpc load # under high bitcoind rpc load
rpc.threads = 16; rpc.threads = 16;
zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
}; };
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
@ -161,11 +165,6 @@ in {
"d '${cfg.dataDir}' 0770 lnd lnd - -" "d '${cfg.dataDir}' 0770 lnd lnd - -"
]; ];
services.bitcoind = {
zmqpubrawblock = "tcp://${bitcoindRpcAddress}:28332";
zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
};
systemd.services.lnd = { systemd.services.lnd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ]; requires = [ "bitcoind.service" ];

View File

@ -75,12 +75,6 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.clightning.enable = true; services.clightning.enable = true;
users.users.recurring-donations = {
group = "recurring-donations";
extraGroups = [ "clightning" ];
};
users.groups.recurring-donations = {};
systemd.services.recurring-donations = { systemd.services.recurring-donations = {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];
after = [ "clightning.service" ]; after = [ "clightning.service" ];
@ -103,5 +97,11 @@ in {
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
users.users.recurring-donations = {
group = "recurring-donations";
extraGroups = [ "clightning" ];
};
users.groups.recurring-donations = {};
}; };
} }