onionAddresses: use service 'script' option

This also makes the script stop on errors.
This commit is contained in:
Erik Arvstedt 2021-01-14 13:24:14 +01:00
parent 6d13b26d0a
commit b266f23251
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -4,7 +4,7 @@
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/ # The included service copies onion addresses to /var/lib/onion-addresses/<user>/
# and sets permissions according to option 'access'. # and sets permissions according to option 'access'.
{ config, lib, pkgs, ... }: { config, lib, ... }:
with lib; with lib;
@ -12,7 +12,38 @@ let
cfg = config.nix-bitcoin.onionAddresses; cfg = config.nix-bitcoin.onionAddresses;
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
dataDir = "/var/lib/onion-addresses/"; dataDir = "/var/lib/onion-addresses/";
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" '' in {
options.nix-bitcoin.onionAddresses = {
access = mkOption {
type = with types; attrsOf (listOf str);
default = {};
description = ''
This option controls who is allowed to access onion addresses.
For example, the following allows user 'myuser' to access bitcoind
and clightning onion addresses:
{
"myuser" = [ "bitcoind" "clightning" ];
};
The onion hostnames can then be read from
/var/lib/onion-addresses/myuser.
'';
};
};
config = mkIf (cfg.access != {}) {
systemd.services.onion-addresses = {
wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
Type = "oneshot";
RemainAfterExit = true;
StateDirectory = "onion-addresses";
PrivateNetwork = "true"; # This service needs no network access
PrivateUsers = "false";
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
};
script = ''
# wait until tor is up # wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done until ls -l /var/lib/tor/state; do sleep 1; done
@ -42,38 +73,6 @@ let
(builtins.attrNames cfg.access) (builtins.attrNames cfg.access)
} }
''; '';
in {
options.nix-bitcoin.onionAddresses = {
access = mkOption {
type = with types; attrsOf (listOf str);
default = {};
description = ''
This option controls who is allowed to access onion addresses.
For example, the following allows user 'myuser' to access bitcoind
and clightning onion addresses:
{
"myuser" = [ "bitcoind" "clightning" ];
};
The onion hostnames can then be read from
/var/lib/onion-addresses/myuser.
'';
};
};
config = mkIf (cfg.access != {}) {
systemd.services.onion-addresses = {
wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
Type = "oneshot";
RemainAfterExit = true;
StateDirectory = "onion-addresses";
PrivateNetwork = "true"; # This service needs no network access
PrivateUsers = "false";
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
};
}; };
}; };
} }