greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netns: don't repeat cli definitions

Browse Source 
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
This commit is contained in:
Erik Arvstedt 2020-08-21 22:36:00 +02:00
parent e385c73256
commit 9715134f06
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
6 changed files with 32 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/bitcoind.nix
View File

@ -265,20 +265,16 @@ in {
}; };
cli = mkOption { cli = mkOption {
type = types.package; type = types.package;
default = cfg.cli-nonetns-exec; # Overriden on netns-isolation
default = cfg.cliBase;
description = "Binary to connect with the bitcoind instance."; description = "Binary to connect with the bitcoind instance.";
}; };
# Needed because bitcoin-cli commands executed through systemd already cliBase = mkOption {
# run inside nb-bitcoind, hence they don't need netns-exec prefixed.
cli-nonetns-exec = mkOption {
readOnly = true; readOnly = true;
type = types.package; type = types.package;
default = pkgs.writeScriptBin "bitcoin-cli" '' default = pkgs.writeScriptBin "bitcoin-cli" ''
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
''; '';
description = ''
Binary to connect with the bitcoind instance without netns-exec.
'';
}; };
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };
@ -315,7 +311,7 @@ in {
fi fi
''; '';
postStart = '' postStart = ''
cd ${cfg.cli-nonetns-exec}/bin cd ${cfg.cliBase}/bin
# Poll until bitcoind accepts commands. This can take a long time. # Poll until bitcoind accepts commands. This can take a long time.
while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do
sleep 1 sleep 1
@ -342,7 +338,7 @@ in {
bindsTo = [ "bitcoind.service" ]; bindsTo = [ "bitcoind.service" ];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
script = '' script = ''
cd ${cfg.cli-nonetns-exec}/bin cd ${cfg.cliBase}/bin
echo "Importing node banlist..." echo "Importing node banlist..."
cat ${./banlist.cli.txt} | while read line; do cat ${./banlist.cli.txt} | while read line; do
if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then

3
modules/lightning-loop.nix
View File

@ -30,10 +30,11 @@ in {
default = pkgs.writeScriptBin "loop" default = pkgs.writeScriptBin "loop"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
'' ''
exec sudo -u lnd ${cfg.package}/bin/loop "$@" ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/loop "$@"
''; '';
description = "Binary to connect with the lnd instance."; description = "Binary to connect with the lnd instance.";
}; };
inherit (nix-bitcoin-services) cliExec;
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };

10
modules/liquid.nix
View File

@ -210,17 +210,19 @@ in {
''; '';
}; };
cli = mkOption { cli = mkOption {
readOnly = true;
default = pkgs.writeScriptBin "elements-cli" '' default = pkgs.writeScriptBin "elements-cli" ''
exec ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${cfg.dataDir}' "$@" ${cfg.cliExec} ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${cfg.dataDir}' "$@"
''; '';
description = "Binary to connect with the liquidd instance."; description = "Binary to connect with the liquidd instance.";
}; };
swap-cli = mkOption { swapCli = mkOption {
default = pkgs.writeScriptBin "liquidswap-cli" '' default = pkgs.writeScriptBin "liquidswap-cli" ''
exec ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${cfg.dataDir}/elements.conf' "$@" ${cfg.cliExec} ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${cfg.dataDir}/elements.conf' "$@"
''; '';
description = "Binary for managing liquid swaps."; description = "Binary for managing liquid swaps.";
}; };
inherit (nix-bitcoin-services) cliExec;
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };
}; };
@ -229,7 +231,7 @@ in {
environment.systemPackages = [ environment.systemPackages = [
pkgs.nix-bitcoin.elementsd pkgs.nix-bitcoin.elementsd
(hiPrio cfg.cli) (hiPrio cfg.cli)
(hiPrio cfg.swap-cli) (hiPrio cfg.swapCli)
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

3
modules/lnd.nix
View File

@ -115,11 +115,12 @@ in {
default = pkgs.writeScriptBin "lncli" default = pkgs.writeScriptBin "lncli"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
'' ''
exec sudo -u lnd ${cfg.package}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \ ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \
--macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@" --macaroonpath '${cfg.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@"
''; '';
description = "Binary to connect with the lnd instance."; description = "Binary to connect with the lnd instance.";
}; };
inherit (nix-bitcoin-services) cliExec;
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };

32
modules/netns-isolation.nix
View File

@ -9,6 +9,7 @@ let
inherit (v) id; inherit (v) id;
address = "169.254.${toString cfg.addressblock}.${toString v.id}"; address = "169.254.${toString cfg.addressblock}.${toString v.id}";
availableNetns = availableNetns.${n}; availableNetns = availableNetns.${n};
netnsName = "nb-${n}";
}) enabledServices; }) enabledServices;
# Symmetric netns connection matrix # Symmetric netns connection matrix
@ -42,6 +43,7 @@ let
bridgeIp = "169.254.${toString cfg.addressblock}.10"; bridgeIp = "169.254.${toString cfg.addressblock}.10";
mkCliExec = service: "exec netns-exec ${netns.${service}.netnsName}";
in { in {
options.nix-bitcoin.netns-isolation = { options.nix-bitcoin.netns-isolation = {
enable = mkEnableOption "netns isolation"; enable = mkEnableOption "netns isolation";
@ -114,7 +116,7 @@ in {
(let (let
makeNetnsServices = n: v: let makeNetnsServices = n: v: let
vethName = "nb-veth-${toString v.id}"; vethName = "nb-veth-${toString v.id}";
netnsName = "nb-${n}"; inherit (v) netnsName;
ipNetns = "${ip} -n ${netnsName}"; ipNetns = "${ip} -n ${netnsName}";
netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables"; netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables";
in { in {
@ -219,8 +221,10 @@ in {
rpcallowip = [ rpcallowip = [
"127.0.0.1" "127.0.0.1"
] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns; ] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns;
cli = pkgs.writeScriptBin "bitcoin-cli" '' cli = let
netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@" inherit (config.services.bitcoind) cliBase;
in pkgs.writeScriptBin cliBase.name ''
exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@"
''; '';
}; };
systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind"; systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
@ -241,12 +245,7 @@ in {
"127.0.0.1" "127.0.0.1"
]; ];
bitcoind-host = netns.bitcoind.address; bitcoind-host = netns.bitcoind.address;
cli = pkgs.writeScriptBin "lncli" cliExec = mkCliExec "lnd";
# Switch user because lnd makes datadir contents readable by user only
''
netns-exec nb-lnd sudo -u lnd ${config.services.lnd.package}/bin/lncli --tlscertpath ${config.nix-bitcoin.secretsDir}/lnd-cert \
--macaroonpath '${config.services.lnd.dataDir}/chain/bitcoin/mainnet/admin.macaroon' "$@"
'';
}; };
services.liquidd = { services.liquidd = {
@ -259,12 +258,7 @@ in {
"127.0.0.1" "127.0.0.1"
] ++ map (n: "${netns.${n}.address}") netns.liquidd.availableNetns; ] ++ map (n: "${netns.${n}.address}") netns.liquidd.availableNetns;
mainchainrpchost = netns.bitcoind.address; mainchainrpchost = netns.bitcoind.address;
cli = pkgs.writeScriptBin "elements-cli" '' cliExec = mkCliExec "liquidd";
netns-exec nb-liquidd ${pkgs.nix-bitcoin.elementsd}/bin/elements-cli -datadir='${config.services.liquidd.dataDir}' "$@"
'';
swap-cli = pkgs.writeScriptBin "liquidswap-cli" ''
netns-exec nb-liquidd ${pkgs.nix-bitcoin.liquid-swap}/bin/liquidswap-cli -c '${config.services.liquidd.dataDir}/elements.conf' "$@"
'';
}; };
services.electrs = { services.electrs = {
@ -286,13 +280,7 @@ in {
services.nix-bitcoin-webindex.host = netns.nginx.address; services.nix-bitcoin-webindex.host = netns.nginx.address;
services.lightning-loop = { services.lightning-loop.cliExec = mkCliExec "lightning-loop";
cli = pkgs.writeScriptBin "loop"
# Switch user because lnd makes datadir contents readable by user only
''
netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@"
'';
};
} }
]); ]);
} }

7
modules/nix-bitcoin-services.nix
View File

@ -55,4 +55,11 @@ with lib;
set -eo pipefail set -eo pipefail
${src} ${src}
''; '';
cliExec = mkOption {
# Used by netns-isolation to execute the cli in the service's private netns
internal = true;
type = types.str;
default = "exec";
};
} }