extract operator module
This commit is contained in:
parent
2dd1a741f7
commit
9aa19c3fdd
@ -380,6 +380,7 @@ in {
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
users.groups.bitcoinrpc = {};
|
||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||
|
||||
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
|
||||
nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
|
||||
|
@ -99,6 +99,7 @@ in {
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
|
@ -48,6 +48,7 @@ in {
|
||||
usbutils
|
||||
];
|
||||
users.groups."${cfg.group}" = {};
|
||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||
})
|
||||
(mkIf cfg.ledger {
|
||||
|
||||
|
@ -125,6 +125,10 @@ in {
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
nix-bitcoin.operator = {
|
||||
groups = [ cfg.group ];
|
||||
sudoUsers = [ cfg.group ];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
|
@ -263,12 +263,15 @@ in {
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
group = cfg.group;
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
description = "Liquid sidechain user";
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
||||
|
||||
nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid";
|
||||
};
|
||||
}
|
||||
|
@ -259,6 +259,7 @@ in {
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ
|
||||
};
|
||||
|
||||
users.users.lnd = {
|
||||
description = "LND User";
|
||||
group = "lnd";
|
||||
@ -266,6 +267,11 @@ in {
|
||||
home = cfg.dataDir; # lnd creates .lnd dir in HOME
|
||||
};
|
||||
users.groups.lnd = {};
|
||||
nix-bitcoin.operator = {
|
||||
groups = [ "lnd" ];
|
||||
sudoUsers = [ "lnd" ];
|
||||
};
|
||||
|
||||
nix-bitcoin.secrets = {
|
||||
lnd-wallet-password.user = "lnd";
|
||||
lnd-key.user = "lnd";
|
||||
|
@ -4,6 +4,7 @@
|
||||
imports = [
|
||||
# Core modules
|
||||
./secrets/secrets.nix
|
||||
./operator.nix
|
||||
|
||||
# Main features
|
||||
./bitcoind.nix
|
||||
|
@ -82,6 +82,7 @@ in {
|
||||
User that is allowed to execute commands in the service network namespaces.
|
||||
The user's group is also authorized.
|
||||
'';
|
||||
default = config.nix-bitcoin.operator.name;
|
||||
};
|
||||
|
||||
netns = mkOption {
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
operatorName = config.nix-bitcoin.operatorName;
|
||||
operatorName = config.nix-bitcoin.operator.name;
|
||||
script = pkgs.writeScriptBin "nodeinfo" ''
|
||||
set -eo pipefail
|
||||
|
||||
|
47
modules/operator.nix
Normal file
47
modules/operator.nix
Normal file
@ -0,0 +1,47 @@
|
||||
# Define an operator user for convenient interactive access to nix-bitcoin
|
||||
# features and services.
|
||||
#
|
||||
# When using nix-bitcoin as part of a larger system config, set
|
||||
# `nix-bitcoin.operator.name` to your main user name.
|
||||
|
||||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.nix-bitcoin.operator;
|
||||
in {
|
||||
options.nix-bitcoin.operator = {
|
||||
enable = mkEnableOption "operator user";
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = "operator";
|
||||
description = "User name.";
|
||||
};
|
||||
groups = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Extra groups.";
|
||||
};
|
||||
sudoUsers = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Users as which the operator is allowed to run commands.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.${cfg.name} = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"systemd-journal"
|
||||
"proc" # Enable full /proc access and systemd-status
|
||||
] ++ cfg.groups;
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let
|
||||
users = builtins.concatStringsSep "," cfg.sudoUsers;
|
||||
in ''
|
||||
${cfg.name} ALL=(${users}) NOPASSWD: ALL
|
||||
'');
|
||||
};
|
||||
}
|
@ -5,7 +5,7 @@ with lib;
|
||||
let
|
||||
cfg = config.services;
|
||||
|
||||
operatorName = config.nix-bitcoin.operatorName;
|
||||
operatorName = config.nix-bitcoin.operator.name;
|
||||
|
||||
mkHiddenService = map: {
|
||||
map = [ map ];
|
||||
@ -29,11 +29,6 @@ in {
|
||||
default = 9735;
|
||||
description = "Port on which to listen for tor client connections.";
|
||||
};
|
||||
nix-bitcoin.operatorName = mkOption {
|
||||
type = types.str;
|
||||
default = "operator";
|
||||
description = "Less-privileged user's name.";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
@ -159,35 +154,15 @@ in {
|
||||
qrencode
|
||||
];
|
||||
|
||||
# Create operator user which can access the node's services
|
||||
services.onion-chef = {
|
||||
enable = true;
|
||||
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
|
||||
};
|
||||
|
||||
nix-bitcoin.operator.enable = true;
|
||||
users.users.${operatorName} = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"systemd-journal"
|
||||
"proc" # Enable full /proc access and systemd-status
|
||||
cfg.bitcoind.group
|
||||
]
|
||||
++ (optionals cfg.clightning.enable [ "clightning" ])
|
||||
++ (optionals cfg.lnd.enable [ "lnd" ])
|
||||
++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
|
||||
++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
|
||||
[ cfg.hardware-wallets.group ])
|
||||
++ (optionals cfg.joinmarket.enable [ cfg.joinmarket.group ]);
|
||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
};
|
||||
nix-bitcoin.netns-isolation.allowedUser = operatorName;
|
||||
# Give operator access to onion hostnames
|
||||
services.onion-chef.enable = true;
|
||||
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
|
||||
|
||||
security.sudo.configFile =
|
||||
(optionalString cfg.lnd.enable ''
|
||||
${operatorName} ALL=(lnd) NOPASSWD: ALL
|
||||
'') +
|
||||
(optionalString cfg.joinmarket.enable ''
|
||||
${operatorName} ALL=(${cfg.joinmarket.user}) NOPASSWD: ALL
|
||||
'');
|
||||
|
||||
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
|
||||
systemd.services.get-vbox-nixops-client-key =
|
||||
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
|
||||
|
Loading…
Reference in New Issue
Block a user