Give operator access to onion hostnames through new onion-manager module

This commit is contained in:
Jonas Nick 2019-03-29 14:46:13 +00:00
parent 9201af2342
commit aba1b7dfc2
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
3 changed files with 99 additions and 8 deletions

View File

@ -42,6 +42,7 @@ in {
./liquid.nix
./spark-wallet.nix
./electrs.nix
./onion-chef.nix
];
options.services.nix-bitcoin = {
@ -121,8 +122,11 @@ in {
isNormalUser = true;
extraGroups = [ "clightning" config.services.bitcoind.group ]
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
};
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "ngninx" "liquidd" "spark-wallet" "electrs" "sshd" ];
environment.interactiveShellInit = ''
alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'

87
modules/onion-chef.nix Normal file
View File

@ -0,0 +1,87 @@
# The onion chef module allows unprivileged users to read onion hostnames.
# By default the onion hostnames in /var/lib/tor/onion are only readable by the
# tor user. The onion chef copies the onion hostnames into into
# /var/lib/onion-chef and sets permissions according to the access option.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.onion-chef;
dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
# wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done
mkdir -p -m 0755 ${dataDir}
cd ${dataDir}
# Create directory for every user and set permissions
${ builtins.foldl'
(x: user: x +
''
mkdir -p -m 0700 ${user}
chown ${user} ${user}
# Copy onion hostnames into the user's directory
${ builtins.foldl'
(x: onion: x +
''
ONION_FILE=/var/lib/tor/onion/${onion}/hostname
if [ -e "$ONION_FILE" ]; then
cp $ONION_FILE ${user}/${onion}
chown ${user} ${user}/${onion}
fi
'')
""
(builtins.getAttr user cfg.access)
}
'')
""
(builtins.attrNames cfg.access)
}
'';
in {
options.services.onion-chef = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the onion-chef service will be installed.
'';
};
access = mkOption {
type = types.attrs;
default = {};
description = ''
This option controls who is allowed to access onion hostnames. For
example the following allows the user operator to access the bitcoind
and clightning onion.
{
"operator" = [ "bitcoind" "clightning" ];
};
The onion hostnames can then be read from
/var/lib/onion-chef/<user>.
'';
};
};
config = mkIf cfg.enable {
systemd.services.onion-chef = {
description = "Run onion-chef";
wantedBy = [ "multi-user.target" ];
requires = [ "tor.service" ];
partOf = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
User = "root";
Type = "oneshot";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
};
};
}

View File

@ -1,9 +1,9 @@
set -e
set -o pipefail
BITCOIND_ONION="$(cat /var/lib/tor/onion/bitcoind/hostname)"
BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
CLIGHTNING_ONION="$(cat /var/lib/tor/onion/clightning/hostname)"
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
echo BITCOIND_ONION="$BITCOIND_ONION"
@ -11,31 +11,31 @@ echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
echo CLIGHTNING_ID="$CLIGHTNING_ID"
NGINX_ONION_FILE=/var/lib/tor/onion/nginx/hostname
NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
if [ -e "$NGINX_ONION_FILE" ]; then
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
echo NGINX_ONION="$NGINX_ONION"
fi
LIQUIDD_ONION_FILE=/var/lib/tor/onion/liquidd/hostname
LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
if [ -e "$LIQUIDD_ONION_FILE" ]; then
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
echo LIQUIDD_ONION="$LIQUIDD_ONION"
fi
SPARKWALLET_ONION_FILE=/var/lib/tor/onion/spark-wallet/hostname
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
fi
ELECTRS_ONION_FILE=/var/lib/tor/onion/electrs/hostname
ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
if [ -e "$ELECTRS_ONION_FILE" ]; then
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
echo ELECTRS_ONION="$ELECTRS_ONION"
fi
SSHD_ONION_FILE=/var/lib/tor/onion/sshd/hostname
SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
echo SSHD_ONION="$SSHD_ONION"