diff --git a/modules/clightning.nix b/modules/clightning.nix index 332ee82..af259cb 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -39,48 +39,46 @@ in { }; config = mkIf cfg.enable { - users.users.clightning = - { - description = "clightning User"; - group = "clightning"; - extraGroups = [ "bitcoinrpc" "keys" ]; - home = cfg.dataDir; - }; - users.groups.clightning = { - name = "clightning"; - }; - - systemd.services.clightning = - { description = "Run clightningd"; - path = [ pkgs.bitcoin ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "bitcoind.service" ]; - after = [ "bitcoind.service" ]; - preStart = '' - mkdir -m 0770 -p ${cfg.dataDir} - rm -f ${cfg.dataDir}/config - chown 'clightning:clightning' '${cfg.dataDir}' - cp ${configFile} ${cfg.dataDir}/config - chown 'clightning:clightning' '${cfg.dataDir}/config' - chmod +w ${cfg.dataDir}/config - chmod o-rw ${cfg.dataDir}/config - # The RPC socket has to be removed otherwise we might have stale sockets - rm -f ${cfg.dataDir}/lightning-rpc - echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' - ''; - serviceConfig = - { - PermissionsStartOnly = "true"; - ExecStart = "${pkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; - User = "clightning"; - Restart = "on-failure"; - RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - MemoryDenyWriteExecute = "true"; - }; - }; + users.users.clightning = { + description = "clightning User"; + group = "clightning"; + extraGroups = [ "bitcoinrpc" "keys" ]; + home = cfg.dataDir; }; + users.groups.clightning = { + name = "clightning"; + }; + + systemd.services.clightning = { + description = "Run clightningd"; + path = [ pkgs.bitcoin ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "bitcoind.service" ]; + after = [ "bitcoind.service" ]; + preStart = '' + mkdir -m 0770 -p ${cfg.dataDir} + rm -f ${cfg.dataDir}/config + chown 'clightning:clightning' '${cfg.dataDir}' + cp ${configFile} ${cfg.dataDir}/config + chown 'clightning:clightning' '${cfg.dataDir}/config' + chmod +w ${cfg.dataDir}/config + chmod o-rw ${cfg.dataDir}/config + # The RPC socket has to be removed otherwise we might have stale sockets + rm -f ${cfg.dataDir}/lightning-rpc + echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' + ''; + serviceConfig = { + PermissionsStartOnly = "true"; + ExecStart = "${pkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; + User = "clightning"; + Restart = "on-failure"; + RestartSec = "10s"; + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; + }; + }; } diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 91008f4..20cff19 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -23,26 +23,25 @@ in { }; config = mkIf cfg.enable { - systemd.services.lightning-charge = - { description = "Run lightning-charge"; - wantedBy = [ "multi-user.target" ]; - requires = [ "clightning.service" ]; - after = [ "clightning.service" ]; - serviceConfig = - { - EnvironmentFile = "/secrets/lightning-charge-api-token"; - ExecStart = "${pkgs.lightning-charge.package}/bin/charged -l ${config.services.clightning.dataDir} -d ${config.services.clightning.dataDir}/lightning-charge.db"; - # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket, - # so this must run as the clightning user - # https://github.com/ElementsProject/lightning/issues/1366 - User = "clightning"; - Restart = "on-failure"; - RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; - }; + systemd.services.lightning-charge = { + description = "Run lightning-charge"; + wantedBy = [ "multi-user.target" ]; + requires = [ "clightning.service" ]; + after = [ "clightning.service" ]; + serviceConfig = { + EnvironmentFile = "/secrets/lightning-charge-api-token"; + ExecStart = "${pkgs.lightning-charge.package}/bin/charged -l ${config.services.clightning.dataDir} -d ${config.services.clightning.dataDir}/lightning-charge.db"; + # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket, + # so this must run as the clightning user + # https://github.com/ElementsProject/lightning/issues/1366 + User = "clightning"; + Restart = "on-failure"; + RestartSec = "10s"; + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + }; }; + }; } diff --git a/modules/nanopos.nix b/modules/nanopos.nix index 71d2526..fcadc73 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -51,34 +51,33 @@ in { }; config = mkIf cfg.enable { - users.users.nanopos = - { - description = "nanopos User"; - group = "nanopos"; - extraGroups = [ "keys" ]; - }; - users.groups.nanopos = { - name = "nanopos"; - }; - - systemd.services.nanopos = - { description = "Run nanopos"; - wantedBy = [ "multi-user.target" ]; - requires = [ "lightning-charge.service" ]; - after = [ "lightning-charge.service" ]; - serviceConfig = - { - EnvironmentFile = "/secrets/lightning-charge-api-token-for-nanopos"; - ExecStart = "${pkgs.nanopos.package}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; - - User = "nanopos"; - Restart = "on-failure"; - RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; - }; + users.users.nanopos = + { + description = "nanopos User"; + group = "nanopos"; + extraGroups = [ "keys" ]; }; + users.groups.nanopos = { + name = "nanopos"; + }; + + systemd.services.nanopos = { + description = "Run nanopos"; + wantedBy = [ "multi-user.target" ]; + requires = [ "lightning-charge.service" ]; + after = [ "lightning-charge.service" ]; + serviceConfig = { + EnvironmentFile = "/secrets/lightning-charge-api-token-for-nanopos"; + ExecStart = "${pkgs.nanopos.package}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; + + User = "nanopos"; + Restart = "on-failure"; + RestartSec = "10s"; + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + }; + }; + }; } diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index b66206a..2bfa1f8 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -30,16 +30,15 @@ let chown -R operator ${config.users.users.operator.home}/.ssh ''; in { - imports = - [ - ./bitcoind.nix - ./clightning.nix - ./lightning-charge.nix - ./nanopos.nix - ./nix-bitcoin-webindex.nix - ./liquid.nix - ./spark-wallet.nix - ]; + imports = [ + ./bitcoind.nix + ./clightning.nix + ./lightning-charge.nix + ./nanopos.nix + ./nix-bitcoin-webindex.nix + ./liquid.nix + ./spark-wallet.nix + ]; options.services.nix-bitcoin = { enable = mkOption { diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index 0cde120..4c201d3 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -23,22 +23,21 @@ in { }; config = mkIf cfg.enable { - systemd.services.spark-wallet = - { description = "Run spark-wallet"; - wantedBy = [ "multi-user.target" ]; - requires = [ "clightning.service" ]; - after = [ "clightning.service" ]; - serviceConfig = - { - ExecStart = "${pkgs.spark-wallet.package}/bin/spark-wallet --ln-path ${cfg.ln-path} -k -c /secrets/spark-wallet-password"; - User = "clightning"; - Restart = "on-failure"; - RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; - }; + systemd.services.spark-wallet = { + description = "Run spark-wallet"; + wantedBy = [ "multi-user.target" ]; + requires = [ "clightning.service" ]; + after = [ "clightning.service" ]; + serviceConfig = { + ExecStart = "${pkgs.spark-wallet.package}/bin/spark-wallet --ln-path ${cfg.ln-path} -k -c /secrets/spark-wallet-password"; + User = "clightning"; + Restart = "on-failure"; + RestartSec = "10s"; + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + }; }; + }; } diff --git a/nix-bitcoin.nix b/nix-bitcoin.nix index adc563b..79e4f42 100644 --- a/nix-bitcoin.nix +++ b/nix-bitcoin.nix @@ -15,11 +15,10 @@ liquidd = pkgs.callPackage (import pkgs/liquidd.nix) { }; in { disabledModules = [ "services/security/tor.nix" ]; - imports = - [ - ./modules/nix-bitcoin.nix - (unstable-pkgs-git + "/nixos/modules/services/security/tor.nix") - ]; + imports = [ + ./modules/nix-bitcoin.nix + (unstable-pkgs-git + "/nixos/modules/services/security/tor.nix") + ]; nixpkgs.config.packageOverrides = pkgs: { # Use bitcoin and clightning from unstable diff --git a/pkgs/lightning-charge.nix b/pkgs/lightning-charge.nix index 6ffc2d0..b157c81 100644 --- a/pkgs/lightning-charge.nix +++ b/pkgs/lightning-charge.nix @@ -1,6 +1,5 @@ {pkgs, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-8_x"}: - with pkgs; let d1 = stdenv.mkDerivation { diff --git a/pkgs/nanopos.nix b/pkgs/nanopos.nix index be60aba..899802e 100644 --- a/pkgs/nanopos.nix +++ b/pkgs/nanopos.nix @@ -1,6 +1,5 @@ {pkgs, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-8_x"}: - with pkgs; let d1 = stdenv.mkDerivation { diff --git a/pkgs/spark-wallet.nix b/pkgs/spark-wallet.nix index 72f11b3..e298bac 100644 --- a/pkgs/spark-wallet.nix +++ b/pkgs/spark-wallet.nix @@ -1,6 +1,5 @@ {pkgs, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-8_x"}: - with pkgs; let d1 = stdenv.mkDerivation {