From 7369f0a7ec5ec057a3360651bf2eab297fa829a0 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Wed, 10 Jun 2020 14:43:03 +0000 Subject: [PATCH] lightning-charge: add netns - Adds lightning-charge to netns-isolation.services - Adds cfg.enforceTor to bring lightning-charge in line with other services - Adds extraArgs option to allow using lightning-charge with network namespaces - Adds host option (defaults to localhost) as target of hidden service --- modules/lightning-charge.nix | 19 ++++++++++++++++--- modules/netns-isolation.nix | 8 ++++++++ modules/presets/secure-node.nix | 2 ++ 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index e2d4ce5..18e27ba 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -21,6 +21,17 @@ in { default = "/var/lib/lightning-charge"; description = "The data directory for lightning-charge."; }; + host = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "http server listen address"; + }; + extraArgs = mkOption { + type = types.separatedString " "; + default = ""; + description = "Extra command line arguments passed to lightning-charge."; + }; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -60,13 +71,15 @@ in { # Needed to access clightning.dataDir in preStart PermissionsStartOnly = "true"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; - ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db"; + ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db -i ${cfg.host} ${cfg.extraArgs}"; User = user; Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = "${cfg.dataDir}"; - } // nix-bitcoin-services.nodejs - // nix-bitcoin-services.allowTor; + } // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP) + // nix-bitcoin-services.nodejs; }; nix-bitcoin.secrets.lightning-charge-env.user = user; }; diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index d42b492..130fd3a 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -110,6 +110,11 @@ in { # communicates with clightning over lightning-rpc socket connections = []; }; + lightning-charge = { + id = 18; + # communicates with clightning over lightning-rpc socket + connections = []; + }; }; systemd.services = { @@ -263,6 +268,9 @@ in { extraArgs = "--no-tls"; }; + # lightning-charge: Custom netns configs + services.lightning-charge.host = mkIf config.services.lightning-charge.enable netns.lightning-charge.address; + }) # Custom netns config option values if netns-isolation not enabled (mkIf (!cfg.enable) { diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 983d8fb..c36e4b2 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -127,6 +127,8 @@ in { enforceTor = true; }; + services.lightning-charge.enforceTor = true; + services.nix-bitcoin-webindex.enforceTor = true;