Give operator access to onion hostnames through new onion-manager module
This commit is contained in:
parent
9201af2342
commit
aba1b7dfc2
@ -42,6 +42,7 @@ in {
|
|||||||
./liquid.nix
|
./liquid.nix
|
||||||
./spark-wallet.nix
|
./spark-wallet.nix
|
||||||
./electrs.nix
|
./electrs.nix
|
||||||
|
./onion-chef.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.nix-bitcoin = {
|
options.services.nix-bitcoin = {
|
||||||
@ -121,8 +122,11 @@ in {
|
|||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "clightning" config.services.bitcoind.group ]
|
extraGroups = [ "clightning" config.services.bitcoind.group ]
|
||||||
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
|
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
|
||||||
|
|
||||||
};
|
};
|
||||||
|
# Give operator access to onion hostnames
|
||||||
|
services.onion-chef.enable = true;
|
||||||
|
services.onion-chef.access.operator = [ "bitcoind" "clightning" "ngninx" "liquidd" "spark-wallet" "electrs" "sshd" ];
|
||||||
|
|
||||||
environment.interactiveShellInit = ''
|
environment.interactiveShellInit = ''
|
||||||
alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
|
alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
|
||||||
alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
|
alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
|
||||||
|
87
modules/onion-chef.nix
Normal file
87
modules/onion-chef.nix
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
# The onion chef module allows unprivileged users to read onion hostnames.
|
||||||
|
# By default the onion hostnames in /var/lib/tor/onion are only readable by the
|
||||||
|
# tor user. The onion chef copies the onion hostnames into into
|
||||||
|
# /var/lib/onion-chef and sets permissions according to the access option.
|
||||||
|
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.onion-chef;
|
||||||
|
dataDir = "/var/lib/onion-chef/";
|
||||||
|
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
|
||||||
|
# wait until tor is up
|
||||||
|
until ls -l /var/lib/tor/state; do sleep 1; done
|
||||||
|
|
||||||
|
mkdir -p -m 0755 ${dataDir}
|
||||||
|
cd ${dataDir}
|
||||||
|
|
||||||
|
# Create directory for every user and set permissions
|
||||||
|
${ builtins.foldl'
|
||||||
|
(x: user: x +
|
||||||
|
''
|
||||||
|
mkdir -p -m 0700 ${user}
|
||||||
|
chown ${user} ${user}
|
||||||
|
# Copy onion hostnames into the user's directory
|
||||||
|
${ builtins.foldl'
|
||||||
|
(x: onion: x +
|
||||||
|
''
|
||||||
|
ONION_FILE=/var/lib/tor/onion/${onion}/hostname
|
||||||
|
if [ -e "$ONION_FILE" ]; then
|
||||||
|
cp $ONION_FILE ${user}/${onion}
|
||||||
|
chown ${user} ${user}/${onion}
|
||||||
|
fi
|
||||||
|
'')
|
||||||
|
""
|
||||||
|
(builtins.getAttr user cfg.access)
|
||||||
|
}
|
||||||
|
'')
|
||||||
|
""
|
||||||
|
(builtins.attrNames cfg.access)
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
options.services.onion-chef = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
If enabled, the onion-chef service will be installed.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
access = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
This option controls who is allowed to access onion hostnames. For
|
||||||
|
example the following allows the user operator to access the bitcoind
|
||||||
|
and clightning onion.
|
||||||
|
{
|
||||||
|
"operator" = [ "bitcoind" "clightning" ];
|
||||||
|
};
|
||||||
|
The onion hostnames can then be read from
|
||||||
|
/var/lib/onion-chef/<user>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
systemd.services.onion-chef = {
|
||||||
|
description = "Run onion-chef";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "tor.service" ];
|
||||||
|
partOf = [ "tor.service" ];
|
||||||
|
after = [ "tor.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
|
||||||
|
User = "root";
|
||||||
|
Type = "oneshot";
|
||||||
|
PrivateTmp = "true";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
NoNewPrivileges = "true";
|
||||||
|
PrivateDevices = "true";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -1,9 +1,9 @@
|
|||||||
set -e
|
set -e
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
BITCOIND_ONION="$(cat /var/lib/tor/onion/bitcoind/hostname)"
|
BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
|
||||||
CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
|
CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
|
||||||
CLIGHTNING_ONION="$(cat /var/lib/tor/onion/clightning/hostname)"
|
CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
|
||||||
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
|
CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
|
||||||
|
|
||||||
echo BITCOIND_ONION="$BITCOIND_ONION"
|
echo BITCOIND_ONION="$BITCOIND_ONION"
|
||||||
@ -11,31 +11,31 @@ echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
|
|||||||
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
|
echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
|
||||||
echo CLIGHTNING_ID="$CLIGHTNING_ID"
|
echo CLIGHTNING_ID="$CLIGHTNING_ID"
|
||||||
|
|
||||||
NGINX_ONION_FILE=/var/lib/tor/onion/nginx/hostname
|
NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
|
||||||
if [ -e "$NGINX_ONION_FILE" ]; then
|
if [ -e "$NGINX_ONION_FILE" ]; then
|
||||||
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
|
NGINX_ONION="$(cat $NGINX_ONION_FILE)"
|
||||||
echo NGINX_ONION="$NGINX_ONION"
|
echo NGINX_ONION="$NGINX_ONION"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
LIQUIDD_ONION_FILE=/var/lib/tor/onion/liquidd/hostname
|
LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
|
||||||
if [ -e "$LIQUIDD_ONION_FILE" ]; then
|
if [ -e "$LIQUIDD_ONION_FILE" ]; then
|
||||||
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
|
LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
|
||||||
echo LIQUIDD_ONION="$LIQUIDD_ONION"
|
echo LIQUIDD_ONION="$LIQUIDD_ONION"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SPARKWALLET_ONION_FILE=/var/lib/tor/onion/spark-wallet/hostname
|
SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
|
||||||
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
|
if [ -e "$SPARKWALLET_ONION_FILE" ]; then
|
||||||
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
|
SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
|
||||||
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
|
echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ELECTRS_ONION_FILE=/var/lib/tor/onion/electrs/hostname
|
ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
|
||||||
if [ -e "$ELECTRS_ONION_FILE" ]; then
|
if [ -e "$ELECTRS_ONION_FILE" ]; then
|
||||||
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
|
ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
|
||||||
echo ELECTRS_ONION="$ELECTRS_ONION"
|
echo ELECTRS_ONION="$ELECTRS_ONION"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SSHD_ONION_FILE=/var/lib/tor/onion/sshd/hostname
|
SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
|
||||||
if [ -e "$SSHD_ONION_FILE" ]; then
|
if [ -e "$SSHD_ONION_FILE" ]; then
|
||||||
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
||||||
echo SSHD_ONION="$SSHD_ONION"
|
echo SSHD_ONION="$SSHD_ONION"
|
||||||
|
Loading…
Reference in New Issue
Block a user