diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 5362710..440b6ed 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -265,20 +265,16 @@ in { }; cli = mkOption { type = types.package; - default = cfg.cli-nonetns-exec; + # Overriden on netns-isolation + default = cfg.cliBase; description = "Binary to connect with the bitcoind instance."; }; - # Needed because bitcoin-cli commands executed through systemd already - # run inside nb-bitcoind, hence they don't need netns-exec prefixed. - cli-nonetns-exec = mkOption { + cliBase = mkOption { readOnly = true; type = types.package; default = pkgs.writeScriptBin "bitcoin-cli" '' exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" ''; - description = '' - Binary to connect with the bitcoind instance without netns-exec. - ''; }; enforceTor = nix-bitcoin-services.enforceTor; }; @@ -315,7 +311,7 @@ in { fi ''; postStart = '' - cd ${cfg.cli-nonetns-exec}/bin + cd ${cfg.cliBase}/bin # Poll until bitcoind accepts commands. This can take a long time. while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do sleep 1 @@ -342,7 +338,7 @@ in { bindsTo = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; script = '' - cd ${cfg.cli-nonetns-exec}/bin + cd ${cfg.cliBase}/bin echo "Importing node banlist..." cat ${./banlist.cli.txt} | while read line; do if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 0c84873..65a6981 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -30,10 +30,11 @@ in { default = pkgs.writeScriptBin "loop" # Switch user because lnd makes datadir contents readable by user only '' - exec sudo -u lnd ${cfg.package}/bin/loop "$@" + ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/loop "$@" ''; description = "Binary to connect with the lnd instance."; }; + inherit (nix-bitcoin-services) cliExec; enforceTor = nix-bitcoin-services.enforceTor; }; diff --git a/modules/liquid.nix b/modules/liquid.nix index bf93d30..ae2b07e 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -210,17 +210,19 @@ in { ''; }; cli = mkOption { + readOnly = true; default = pkgs.writeScriptBin "elements-cli" '' - exec ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${cfg.dataDir}' "$@" + ${cfg.cliExec} ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${cfg.dataDir}' "$@" ''; description = "Binary to connect with the liquidd instance."; }; - swap-cli = mkOption { + swapCli = mkOption { default = pkgs.writeScriptBin "liquidswap-cli" '' - exec ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${cfg.dataDir}/elements.conf' "$@" + ${cfg.cliExec} ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${cfg.dataDir}/elements.conf' "$@" ''; description = "Binary for managing liquid swaps."; }; + inherit (nix-bitcoin-services) cliExec; enforceTor = nix-bitcoin-services.enforceTor; }; }; @@ -229,7 +231,7 @@ in { environment.systemPackages = [ pkgs.nix-bitcoin.elementsd (hiPrio cfg.cli) - (hiPrio cfg.swap-cli) + (hiPrio cfg.swapCli) ]; systemd.tmpfiles.rules = [ diff --git a/modules/lnd.nix b/modules/lnd.nix index 998440f..621dc03 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -115,11 +115,12 @@ in { default = pkgs.writeScriptBin "lncli" # Switch user because lnd makes datadir contents readable by user only '' - exec sudo -u lnd ${cfg.package}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \ + ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \ --macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@" ''; description = "Binary to connect with the lnd instance."; }; + inherit (nix-bitcoin-services) cliExec; enforceTor = nix-bitcoin-services.enforceTor; }; diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index b18782d..cca9bbc 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -9,6 +9,7 @@ let inherit (v) id; address = "169.254.${toString cfg.addressblock}.${toString v.id}"; availableNetns = availableNetns.${n}; + netnsName = "nb-${n}"; }) enabledServices; # Symmetric netns connection matrix @@ -42,6 +43,7 @@ let bridgeIp = "169.254.${toString cfg.addressblock}.10"; + mkCliExec = service: "exec netns-exec ${netns.${service}.netnsName}"; in { options.nix-bitcoin.netns-isolation = { enable = mkEnableOption "netns isolation"; @@ -114,7 +116,7 @@ in { (let makeNetnsServices = n: v: let vethName = "nb-veth-${toString v.id}"; - netnsName = "nb-${n}"; + inherit (v) netnsName; ipNetns = "${ip} -n ${netnsName}"; netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables"; in { @@ -219,8 +221,10 @@ in { rpcallowip = [ "127.0.0.1" ] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns; - cli = pkgs.writeScriptBin "bitcoin-cli" '' - netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@" + cli = let + inherit (config.services.bitcoind) cliBase; + in pkgs.writeScriptBin cliBase.name '' + exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@" ''; }; systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind"; @@ -241,12 +245,7 @@ in { "127.0.0.1" ]; bitcoind-host = netns.bitcoind.address; - cli = pkgs.writeScriptBin "lncli" - # Switch user because lnd makes datadir contents readable by user only - '' - netns-exec nb-lnd sudo -u lnd ${config.services.lnd.package}/bin/lncli --tlscertpath ${config.nix-bitcoin.secretsDir}/lnd-cert \ - --macaroonpath '${config.services.lnd.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@" - ''; + cliExec = mkCliExec "lnd"; }; services.liquidd = { @@ -259,12 +258,7 @@ in { "127.0.0.1" ] ++ map (n: "${netns.${n}.address}") netns.liquidd.availableNetns; mainchainrpchost = netns.bitcoind.address; - cli = pkgs.writeScriptBin "elements-cli" '' - netns-exec nb-liquidd ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${config.services.liquidd.dataDir}' "$@" - ''; - swap-cli = pkgs.writeScriptBin "liquidswap-cli" '' - netns-exec nb-liquidd ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${config.services.liquidd.dataDir}/elements.conf' "$@" - ''; + cliExec = mkCliExec "liquidd"; }; services.electrs = { @@ -286,13 +280,7 @@ in { services.nix-bitcoin-webindex.host = netns.nginx.address; - services.lightning-loop = { - cli = pkgs.writeScriptBin "loop" - # Switch user because lnd makes datadir contents readable by user only - '' - netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@" - ''; - }; + services.lightning-loop.cliExec = mkCliExec "lightning-loop"; } ]); } diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix index 097567e..e8e2f9a 100644 --- a/modules/nix-bitcoin-services.nix +++ b/modules/nix-bitcoin-services.nix @@ -55,4 +55,11 @@ with lib; set -eo pipefail ${src} ''; + + cliExec = mkOption { + # Used by netns-isolation to execute the cli in the service's private netns + internal = true; + type = types.str; + default = "exec"; + }; }