onionAddresses: use service 'script' option

This also makes the script stop on errors.
This commit is contained in:
Erik Arvstedt 2021-01-14 13:24:14 +01:00
parent 6d13b26d0a
commit b266f23251
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -4,7 +4,7 @@
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/ # The included service copies onion addresses to /var/lib/onion-addresses/<user>/
# and sets permissions according to option 'access'. # and sets permissions according to option 'access'.
{ config, lib, pkgs, ... }: { config, lib, ... }:
with lib; with lib;
@ -12,36 +12,6 @@ let
cfg = config.nix-bitcoin.onionAddresses; cfg = config.nix-bitcoin.onionAddresses;
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
dataDir = "/var/lib/onion-addresses/"; dataDir = "/var/lib/onion-addresses/";
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
# wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done
cd ${dataDir}
# Create directory for every user and set permissions
${ builtins.foldl'
(x: user: x +
''
mkdir -p -m 0700 ${user}
chown ${user} ${user}
# Copy onion hostnames into the user's directory
${ builtins.foldl'
(x: onion: x +
''
ONION_FILE=/var/lib/tor/onion/${onion}/hostname
if [ -e "$ONION_FILE" ]; then
cp $ONION_FILE ${user}/${onion}
chown ${user} ${user}/${onion}
fi
'')
""
(builtins.getAttr user cfg.access)
}
'')
""
(builtins.attrNames cfg.access)
}
'';
in { in {
options.nix-bitcoin.onionAddresses = { options.nix-bitcoin.onionAddresses = {
access = mkOption { access = mkOption {
@ -66,7 +36,6 @@ in {
bindsTo = [ "tor.service" ]; bindsTo = [ "tor.service" ];
after = [ "tor.service" ]; after = [ "tor.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
StateDirectory = "onion-addresses"; StateDirectory = "onion-addresses";
@ -74,6 +43,36 @@ in {
PrivateUsers = "false"; PrivateUsers = "false";
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
}; };
script = ''
# wait until tor is up
until ls -l /var/lib/tor/state; do sleep 1; done
cd ${dataDir}
# Create directory for every user and set permissions
${ builtins.foldl'
(x: user: x +
''
mkdir -p -m 0700 ${user}
chown ${user} ${user}
# Copy onion hostnames into the user's directory
${ builtins.foldl'
(x: onion: x +
''
ONION_FILE=/var/lib/tor/onion/${onion}/hostname
if [ -e "$ONION_FILE" ]; then
cp $ONION_FILE ${user}/${onion}
chown ${user} ${user}/${onion}
fi
'')
""
(builtins.getAttr user cfg.access)
}
'')
""
(builtins.attrNames cfg.access)
}
'';
}; };
}; };
} }