onionAddresses: use service 'script' option
This also makes the script stop on errors.
This commit is contained in:
parent
6d13b26d0a
commit
b266f23251
@ -4,7 +4,7 @@
|
|||||||
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
|
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
|
||||||
# and sets permissions according to option 'access'.
|
# and sets permissions according to option 'access'.
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
@ -12,7 +12,38 @@ let
|
|||||||
cfg = config.nix-bitcoin.onionAddresses;
|
cfg = config.nix-bitcoin.onionAddresses;
|
||||||
inherit (config) nix-bitcoin-services;
|
inherit (config) nix-bitcoin-services;
|
||||||
dataDir = "/var/lib/onion-addresses/";
|
dataDir = "/var/lib/onion-addresses/";
|
||||||
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
|
in {
|
||||||
|
options.nix-bitcoin.onionAddresses = {
|
||||||
|
access = mkOption {
|
||||||
|
type = with types; attrsOf (listOf str);
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
This option controls who is allowed to access onion addresses.
|
||||||
|
For example, the following allows user 'myuser' to access bitcoind
|
||||||
|
and clightning onion addresses:
|
||||||
|
{
|
||||||
|
"myuser" = [ "bitcoind" "clightning" ];
|
||||||
|
};
|
||||||
|
The onion hostnames can then be read from
|
||||||
|
/var/lib/onion-addresses/myuser.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf (cfg.access != {}) {
|
||||||
|
systemd.services.onion-addresses = {
|
||||||
|
wantedBy = [ "tor.service" ];
|
||||||
|
bindsTo = [ "tor.service" ];
|
||||||
|
after = [ "tor.service" ];
|
||||||
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
StateDirectory = "onion-addresses";
|
||||||
|
PrivateNetwork = "true"; # This service needs no network access
|
||||||
|
PrivateUsers = "false";
|
||||||
|
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
# wait until tor is up
|
# wait until tor is up
|
||||||
until ls -l /var/lib/tor/state; do sleep 1; done
|
until ls -l /var/lib/tor/state; do sleep 1; done
|
||||||
|
|
||||||
@ -42,38 +73,6 @@ let
|
|||||||
(builtins.attrNames cfg.access)
|
(builtins.attrNames cfg.access)
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
in {
|
|
||||||
options.nix-bitcoin.onionAddresses = {
|
|
||||||
access = mkOption {
|
|
||||||
type = with types; attrsOf (listOf str);
|
|
||||||
default = {};
|
|
||||||
description = ''
|
|
||||||
This option controls who is allowed to access onion addresses.
|
|
||||||
For example, the following allows user 'myuser' to access bitcoind
|
|
||||||
and clightning onion addresses:
|
|
||||||
{
|
|
||||||
"myuser" = [ "bitcoind" "clightning" ];
|
|
||||||
};
|
|
||||||
The onion hostnames can then be read from
|
|
||||||
/var/lib/onion-addresses/myuser.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf (cfg.access != {}) {
|
|
||||||
systemd.services.onion-addresses = {
|
|
||||||
wantedBy = [ "tor.service" ];
|
|
||||||
bindsTo = [ "tor.service" ];
|
|
||||||
after = [ "tor.service" ];
|
|
||||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
|
||||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
StateDirectory = "onion-addresses";
|
|
||||||
PrivateNetwork = "true"; # This service needs no network access
|
|
||||||
PrivateUsers = "false";
|
|
||||||
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user