Add operator user
This commit is contained in:
Jonas Nick
parent
94258c505e
commit
95c706b1b0
@ -187,6 +187,7 @@ in {
|
|||||||
chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
|
chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
|
||||||
fi
|
fi
|
||||||
cp '${configFile}' '${cfg.dataDir}/bitcoin.conf'
|
cp '${configFile}' '${cfg.dataDir}/bitcoin.conf'
|
||||||
|
chmod o-rw '${cfg.dataDir}/bitcoin.conf'
|
||||||
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
|
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
|||||||
@ -4,7 +4,6 @@ with lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.services.clightning;
|
cfg = config.services.clightning;
|
||||||
home = "/var/lib/clightning";
|
|
||||||
configFile = pkgs.writeText "config" ''
|
configFile = pkgs.writeText "config" ''
|
||||||
autolisten=false
|
autolisten=false
|
||||||
network=bitcoin
|
network=bitcoin
|
||||||
@ -32,16 +31,25 @@ in {
|
|||||||
Bitcoin RPC user
|
Bitcoin RPC user
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/clightning";
|
||||||
|
description = "The data directory for bitcoind.";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
users.users.clightning =
|
users.users.clightning =
|
||||||
{
|
{
|
||||||
description = "clightning User";
|
description = "clightning User";
|
||||||
createHome = true;
|
group = "clightning";
|
||||||
extraGroups = [ "bitcoinrpc" "keys" ];
|
extraGroups = [ "bitcoinrpc" "keys" ];
|
||||||
inherit home;
|
home = cfg.dataDir;
|
||||||
};
|
};
|
||||||
|
users.groups.clightning = {
|
||||||
|
name = "clightning";
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.clightning =
|
systemd.services.clightning =
|
||||||
{ description = "Run clightningd";
|
{ description = "Run clightningd";
|
||||||
path = [ pkgs.bash pkgs.clightning pkgs.bitcoin ];
|
path = [ pkgs.bash pkgs.clightning pkgs.bitcoin ];
|
||||||
@ -49,15 +57,19 @@ in {
|
|||||||
requires = [ "bitcoind.service" ];
|
requires = [ "bitcoind.service" ];
|
||||||
after = [ "bitcoind.service" ];
|
after = [ "bitcoind.service" ];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
mkdir -p ${home}/.lightning
|
mkdir -m 0770 -p ${cfg.dataDir}
|
||||||
rm -f ${home}/.lightning/config
|
rm -f ${cfg.dataDir}/config
|
||||||
cp ${configFile} ${home}/.lightning/config
|
chown 'clightning:clightning' '${cfg.dataDir}'
|
||||||
chmod +w ${home}/.lightning/config
|
cp ${configFile} ${cfg.dataDir}/config
|
||||||
echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${home}/.lightning/config'
|
chown 'clightning:clightning' '${cfg.dataDir}/config'
|
||||||
|
chmod +w ${cfg.dataDir}/config
|
||||||
|
chmod o-rw ${cfg.dataDir}/config
|
||||||
|
echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
|
||||||
'';
|
'';
|
||||||
serviceConfig =
|
serviceConfig =
|
||||||
{
|
{
|
||||||
ExecStart = "${pkgs.clightning}/bin/lightningd";
|
PermissionsStartOnly = "true";
|
||||||
|
ExecStart = "${pkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
|
||||||
User = "clightning";
|
User = "clightning";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
|||||||
@ -23,6 +23,7 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
# Add bitcoinrpc group
|
||||||
users.groups.bitcoinrpc = {};
|
users.groups.bitcoinrpc = {};
|
||||||
|
|
||||||
# Tor
|
# Tor
|
||||||
@ -69,15 +70,28 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||||
users.users.guest = {
|
users.users.operator = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "clightning" config.services.bitcoind.group ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
environment.interactiveShellInit = ''
|
||||||
|
alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
|
||||||
|
alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
|
||||||
|
'';
|
||||||
|
# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
|
||||||
|
# https://github.com/ElementsProject/lightning/issues/1366
|
||||||
|
security.sudo.configFile = ''
|
||||||
|
operator ALL=(clightning) NOPASSWD: ALL
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Give root ssh access to the operator account
|
||||||
systemd.services.copy-root-authorized-keys = {
|
systemd.services.copy-root-authorized-keys = {
|
||||||
description = "Copy root authorized keys";
|
description = "Copy root authorized keys";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ ];
|
path = [ ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.bash}/bin/bash -c \"mkdir -p ${config.users.users.guest.home}/.ssh && cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.guest.home}/.ssh/authorized_keys && chown -R guest ${config.users.users.guest.home}/.ssh\"";
|
ExecStart = "${pkgs.bash}/bin/bash -c \"mkdir -p ${config.users.users.operator.home}/.ssh && cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys && chown -R operator ${config.users.users.operator.home}/.ssh\"";
|
||||||
user = "root";
|
user = "root";
|
||||||
type = "oneshot";
|
type = "oneshot";
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user