Give operator access to onion hostnames through new onion-manager module
This commit is contained in:
parent
9201af2342
commit
aba1b7dfc2
@ -42,6 +42,7 @@ in {
|
||||
./liquid.nix
|
||||
./spark-wallet.nix
|
||||
./electrs.nix
|
||||
./onion-chef.nix
|
||||
];
|
||||
|
||||
options.services.nix-bitcoin = {
|
||||
@ -121,8 +122,11 @@ in {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "clightning" config.services.bitcoind.group ]
|
||||
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
|
||||
|
||||
};
|
||||
# Give operator access to onion hostnames
|
||||
services.onion-chef.enable = true;
|
||||
services.onion-chef.access.operator = [ "bitcoind" "clightning" "ngninx" "liquidd" "spark-wallet" "electrs" "sshd" ];
|
||||
|
||||
environment.interactiveShellInit = ''
|
||||
alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
|
||||
alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
|
||||
|
87
modules/onion-chef.nix
Normal file
87
modules/onion-chef.nix
Normal file
@ -0,0 +1,87 @@
|
||||
# The onion chef module allows unprivileged users to read onion hostnames.
|
||||
# By default the onion hostnames in /var/lib/tor/onion are only readable by the
|
||||
# tor user. The onion chef copies the onion hostnames into into
|
||||
# /var/lib/onion-chef and sets permissions according to the access option.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.onion-chef;
|
||||
dataDir = "/var/lib/onion-chef/";
|
||||
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
|
||||
# wait until tor is up
|
||||
until ls -l /var/lib/tor/state; do sleep 1; done
|
||||
|
||||
mkdir -p -m 0755 ${dataDir}
|
||||
cd ${dataDir}
|
||||
|
||||
# Create directory for every user and set permissions
|
||||
${ builtins.foldl'
|
||||
(x: user: x +
|
||||
''
|
||||
mkdir -p -m 0700 ${user}
|
||||
chown ${user} ${user}
|
||||
# Copy onion hostnames into the user's directory
|
||||
${ builtins.foldl'
|
||||
(x: onion: x +
|
||||
''
|
||||
ONION_FILE=/var/lib/tor/onion/${onion}/hostname
|
||||
if [ -e "$ONION_FILE" ]; then
|
||||
cp $ONION_FILE ${user}/${onion}
|
||||
chown ${user} ${user}/${onion}
|
||||
fi
|
||||
'')
|
||||
""
|
||||
(builtins.getAttr user cfg.access)
|
||||
}
|
||||
'')
|
||||
""
|
||||
(builtins.attrNames cfg.access)
|
||||
}
|
||||
'';
|
||||
in {
|
||||
options.services.onion-chef = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, the onion-chef service will be installed.
|
||||
'';
|
||||
};
|
||||
access = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
description = ''
|
||||
This option controls who is allowed to access onion hostnames. For
|
||||
example the following allows the user operator to access the bitcoind
|
||||
and clightning onion.
|
||||
{
|
||||
"operator" = [ "bitcoind" "clightning" ];
|
||||
};
|
||||
The onion hostnames can then be read from
|
||||
/var/lib/onion-chef/<user>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.onion-chef = {
|
||||
description = "Run onion-chef";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "tor.service" ];
|
||||
partOf = [ "tor.service" ];
|
||||
after = [ "tor.service" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
|
||||
User = "root";
|
||||
Type = "oneshot";
|
||||
PrivateTmp = "true";
|
||||
ProtectSystem = "full";
|
||||
NoNewPrivileges = "true";
|
||||
PrivateDevices = "true";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,9 +1,9 @@
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
BITCOIND_ONION="$(cat /var/lib/tor/onion/bitcoind/hostname)"
|
||||
BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
|
||||
CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
|
||||
CLIGHTNING_ONION="$(cat /var/lib/tor/onion/clightning/hostname)"
|
||||
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
|
||||
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
|
||||
|
||||
echo BITCOIND_ONION="$BITCOIND_ONION"
|
||||
@ -11,31 +11,31 @@ echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
|
||||
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
|
||||
echo CLIGHTNING_ID="$CLIGHTNING_ID"
|
||||
|
||||
NGINX_ONION_FILE=/var/lib/tor/onion/nginx/hostname
|
||||
NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
|
||||
if [ -e "$NGINX_ONION_FILE" ]; then
|
||||
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
|
||||
echo NGINX_ONION="$NGINX_ONION"
|
||||
fi
|
||||
|
||||
LIQUIDD_ONION_FILE=/var/lib/tor/onion/liquidd/hostname
|
||||
LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
|
||||
if [ -e "$LIQUIDD_ONION_FILE" ]; then
|
||||
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
|
||||
echo LIQUIDD_ONION="$LIQUIDD_ONION"
|
||||
fi
|
||||
|
||||
SPARKWALLET_ONION_FILE=/var/lib/tor/onion/spark-wallet/hostname
|
||||
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
|
||||
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
|
||||
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
|
||||
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
|
||||
fi
|
||||
|
||||
ELECTRS_ONION_FILE=/var/lib/tor/onion/electrs/hostname
|
||||
ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
|
||||
if [ -e "$ELECTRS_ONION_FILE" ]; then
|
||||
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
|
||||
echo ELECTRS_ONION="$ELECTRS_ONION"
|
||||
fi
|
||||
|
||||
SSHD_ONION_FILE=/var/lib/tor/onion/sshd/hostname
|
||||
SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
|
||||
if [ -e "$SSHD_ONION_FILE" ]; then
|
||||
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
||||
echo SSHD_ONION="$SSHD_ONION"
|
||||
|
Loading…
Reference in New Issue
Block a user