greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

extract operator module

This commit is contained in:
Erik Arvstedt 2020-09-28 13:09:03 +02:00
parent 2dd1a741f7
commit 9aa19c3fdd
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
11 changed files with 73 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/bitcoind.nix
View File

@ -380,6 +380,7 @@ in {
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
users.groups.bitcoinrpc = {}; users.groups.bitcoinrpc = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin"; nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
nix-bitcoin.secrets.bitcoin-rpcpassword-public = { nix-bitcoin.secrets.bitcoin-rpcpassword-public = {

1
modules/clightning.nix
View File

@ -99,6 +99,7 @@ in {
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"

1
modules/hardware-wallets.nix
View File

@ -48,6 +48,7 @@ in {
usbutils usbutils
]; ];
users.groups."${cfg.group}" = {}; users.groups."${cfg.group}" = {};
nix-bitcoin.operator.groups = [ cfg.group ];
}) })
(mkIf cfg.ledger { (mkIf cfg.ledger {

4
modules/joinmarket.nix
View File

@ -125,6 +125,10 @@ in {
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator = {
groups = [ cfg.group ];
sudoUsers = [ cfg.group ];
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"

3
modules/liquid.nix
View File

@ -263,12 +263,15 @@ in {
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
description = "Liquid sidechain user"; description = "Liquid sidechain user";
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid"; nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid";
}; };
} }

6
modules/lnd.nix
View File

@ -259,6 +259,7 @@ in {
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ ) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ
}; };
users.users.lnd = { users.users.lnd = {
description = "LND User"; description = "LND User";
group = "lnd"; group = "lnd";
@ -266,6 +267,11 @@ in {
home = cfg.dataDir; # lnd creates .lnd dir in HOME home = cfg.dataDir; # lnd creates .lnd dir in HOME
}; };
users.groups.lnd = {}; users.groups.lnd = {};
nix-bitcoin.operator = {
groups = [ "lnd" ];
sudoUsers = [ "lnd" ];
};
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
lnd-wallet-password.user = "lnd"; lnd-wallet-password.user = "lnd";
lnd-key.user = "lnd"; lnd-key.user = "lnd";

1
modules/modules.nix
View File

@ -4,6 +4,7 @@
imports = [ imports = [
# Core modules # Core modules
./secrets/secrets.nix ./secrets/secrets.nix
./operator.nix
# Main features # Main features
./bitcoind.nix ./bitcoind.nix

1
modules/netns-isolation.nix
View File

@ -82,6 +82,7 @@ in {
User that is allowed to execute commands in the service network namespaces. User that is allowed to execute commands in the service network namespaces.
The user's group is also authorized. The user's group is also authorized.
''; '';
default = config.nix-bitcoin.operator.name;
}; };
netns = mkOption { netns = mkOption {

2
modules/nodeinfo.nix
View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
operatorName = config.nix-bitcoin.operatorName; operatorName = config.nix-bitcoin.operator.name;
script = pkgs.writeScriptBin "nodeinfo" '' script = pkgs.writeScriptBin "nodeinfo" ''
set -eo pipefail set -eo pipefail

47
modules/operator.nix Normal file
View File

@ -0,0 +1,47 @@
# Define an operator user for convenient interactive access to nix-bitcoin
# features and services.
#
# When using nix-bitcoin as part of a larger system config, set
# `nix-bitcoin.operator.name` to your main user name.
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.nix-bitcoin.operator;
in {
options.nix-bitcoin.operator = {
enable = mkEnableOption "operator user";
name = mkOption {
type = types.str;
default = "operator";
description = "User name.";
};
groups = mkOption {
type = with types; listOf str;
default = [];
description = "Extra groups.";
};
sudoUsers = mkOption {
type = with types; listOf str;
default = [];
description = "Users as which the operator is allowed to run commands.";
};
};
config = mkIf cfg.enable {
users.users.${cfg.name} = {
isNormalUser = true;
extraGroups = [
"systemd-journal"
"proc" # Enable full /proc access and systemd-status
] ++ cfg.groups;
};
security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let
users = builtins.concatStringsSep "," cfg.sudoUsers;
in ''
${cfg.name} ALL=(${users}) NOPASSWD: ALL
'');
};
}

39
modules/presets/secure-node.nix
View File

@ -5,7 +5,7 @@ with lib;
let let
cfg = config.services; cfg = config.services;
operatorName = config.nix-bitcoin.operatorName; operatorName = config.nix-bitcoin.operator.name;
mkHiddenService = map: { mkHiddenService = map: {
map = [ map ]; map = [ map ];
@ -29,11 +29,6 @@ in {
default = 9735; default = 9735;
description = "Port on which to listen for tor client connections."; description = "Port on which to listen for tor client connections.";
}; };
nix-bitcoin.operatorName = mkOption {
type = types.str;
default = "operator";
description = "Less-privileged user's name.";
};
}; };
config = { config = {
@ -159,35 +154,15 @@ in {
qrencode qrencode
]; ];
# Create operator user which can access the node's services services.onion-chef = {
enable = true;
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
};
nix-bitcoin.operator.enable = true;
users.users.${operatorName} = { users.users.${operatorName} = {
isNormalUser = true;
extraGroups = [
"systemd-journal"
"proc" # Enable full /proc access and systemd-status
cfg.bitcoind.group
]
++ (optionals cfg.clightning.enable [ "clightning" ])
++ (optionals cfg.lnd.enable [ "lnd" ])
++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
[ cfg.hardware-wallets.group ])
++ (optionals cfg.joinmarket.enable [ cfg.joinmarket.group ]);
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
}; };
nix-bitcoin.netns-isolation.allowedUser = operatorName;
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
security.sudo.configFile =
(optionalString cfg.lnd.enable ''
${operatorName} ALL=(lnd) NOPASSWD: ALL
'') +
(optionalString cfg.joinmarket.enable ''
${operatorName} ALL=(${cfg.joinmarket.user}) NOPASSWD: ALL
'');
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
systemd.services.get-vbox-nixops-client-key = systemd.services.get-vbox-nixops-client-key =
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) { mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {