greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #324: Fix lnd onion

Browse Source 
ecc601a6d6 onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior (nixbitcoin)
e873326bfe modules: use user & group options (nixbitcoin)
ccef870b74 spark-wallet: add user & group options (nixbitcoin)
85a1722545 lnd: add user & group options (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK ecc601a6d6

Tree-SHA512: 39da5f8e01b98a676af8a073c11df64df487b5c3ab01327a227d16f215826f5bf15ca9ac21b59934edc5e2bbb87e397c53fcbf7130bd10b00f1df359ab3328ba
This commit is contained in:
Jonas Nick 2021-02-17 19:08:02 +00:00
commit bcad047757
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
11 changed files with 56 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/bitcoind.nix
View File

@ -385,13 +385,13 @@ in {
users.groups.bitcoinrpc = {}; users.groups.bitcoinrpc = {};
nix-bitcoin.operator.groups = [ cfg.group ]; nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin"; nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user;
nix-bitcoin.secrets.bitcoin-rpcpassword-public = { nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
user = "bitcoin"; user = cfg.user;
group = "bitcoinrpc"; group = "bitcoinrpc";
}; };
nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = "bitcoin"; nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user;
nix-bitcoin.secrets.bitcoin-HMAC-public.user = "bitcoin"; nix-bitcoin.secrets.bitcoin-HMAC-public.user = cfg.user;
}; };
} }

8
modules/btcpayserver.nix
View File

@ -218,7 +218,7 @@ in {
users.groups.${cfg.nbxplorer.group} = {}; users.groups.${cfg.nbxplorer.group} = {};
users.users.${cfg.btcpayserver.user} = { users.users.${cfg.btcpayserver.user} = {
group = cfg.btcpayserver.group; group = cfg.btcpayserver.group;
extraGroups = [ "nbxplorer" ] extraGroups = [ cfg.nbxplorer.group ]
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user; ++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
home = cfg.btcpayserver.dataDir; home = cfg.btcpayserver.dataDir;
}; };
@ -226,10 +226,10 @@ in {
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
bitcoin-rpcpassword-btcpayserver = { bitcoin-rpcpassword-btcpayserver = {
user = "bitcoin"; user = cfg.bitcoind.user;
group = "nbxplorer"; group = cfg.nbxplorer.group;
}; };
bitcoin-HMAC-btcpayserver.user = "bitcoin"; bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
}; };
}; };
} }

2
modules/electrs.nix
View File

@ -110,7 +110,7 @@ in {
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ]; extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ];
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
}; };

8
modules/lightning-loop.nix
View File

@ -89,7 +89,7 @@ in {
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 lnd lnd - -" "d '${cfg.dataDir}' 0770 ${config.services.lnd.user} ${config.services.lnd.group} - -"
]; ];
systemd.services.lightning-loop = { systemd.services.lightning-loop = {
@ -98,7 +98,7 @@ in {
after = [ "lnd.service" ]; after = [ "lnd.service" ];
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}"; ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
User = "lnd"; User = config.services.lnd.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
@ -108,8 +108,8 @@ in {
}; };
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
loop-key.user = "lnd"; loop-key.user = config.services.lnd.user;
loop-cert.user = "lnd"; loop-cert.user = config.services.lnd.user;
}; };
}; };
} }

2
modules/liquid.nix
View File

@ -252,6 +252,6 @@ in {
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ]; nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid"; nix-bitcoin.secrets.liquid-rpcpassword.user = cfg.user;
}; };
} }

2
modules/lnd-rest-onion-service.nix
View File

@ -11,7 +11,7 @@ let
lnd = config.services.lnd; lnd = config.services.lnd;
bin = pkgs.writeScriptBin "lndconnect-rest-onion" '' bin = pkgs.writeScriptBin "lndconnect-rest-onion" ''
#!/usr/bin/env -S ${runAsUser} lnd ${pkgs.bash}/bin/bash #!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash
exec ${cfg.package}/bin/lndconnect \ exec ${cfg.package}/bin/lndconnect \
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \ --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \

34
modules/lnd.nix
View File

@ -124,7 +124,7 @@ in {
default = pkgs.writeScriptBin "lncli" default = pkgs.writeScriptBin "lncli"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
'' ''
${runAsUser} lnd ${cfg.package}/bin/lncli \ ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
--rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
--tlscertpath '${secretsDir}/lnd-cert' \ --tlscertpath '${secretsDir}/lnd-cert' \
--macaroonpath '${networkDir}/admin.macaroon' "$@" --macaroonpath '${networkDir}/admin.macaroon' "$@"
@ -139,6 +139,16 @@ in {
If left empty, no address is announced. If left empty, no address is announced.
''; '';
}; };
user = mkOption {
type = types.str;
default = "lnd";
description = "The user as which to run LND.";
};
group = mkOption {
type = types.str;
default = cfg.user;
description = "The group as which to run LND.";
};
inherit (nbLib) enforceTor; inherit (nbLib) enforceTor;
}; };
@ -163,7 +173,7 @@ in {
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 lnd lnd - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
]; ];
systemd.services.lnd = { systemd.services.lnd = {
@ -183,7 +193,7 @@ in {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons RuntimeDirectory = "lnd"; # Only used to store custom macaroons
RuntimeDirectoryMode = "711"; RuntimeDirectoryMode = "711";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
User = "lnd"; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
@ -206,7 +216,7 @@ in {
--cacert ${secretsDir}/lnd-cert \ --cacert ${secretsDir}/lnd-cert \
-X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi fi
chown lnd: "$mnemonic" chown ${cfg.user}: "$mnemonic"
'') '')
(nbLib.script "lnd-create-wallet" '' (nbLib.script "lnd-create-wallet" ''
if [[ ! -f ${networkDir}/wallet.db ]]; then if [[ ! -f ${networkDir}/wallet.db ]]; then
@ -263,21 +273,21 @@ in {
) // nbLib.allowAnyProtocol; # For ZMQ ) // nbLib.allowAnyProtocol; # For ZMQ
}; };
users.users.lnd = { users.users.${cfg.user} = {
group = "lnd"; group = cfg.group;
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
home = cfg.dataDir; # lnd creates .lnd dir in HOME home = cfg.dataDir; # lnd creates .lnd dir in HOME
}; };
users.groups.lnd = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator = { nix-bitcoin.operator = {
groups = [ "lnd" ]; groups = [ cfg.group ];
allowRunAsUsers = [ "lnd" ]; allowRunAsUsers = [ cfg.user ];
}; };
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
lnd-wallet-password.user = "lnd"; lnd-wallet-password.user = cfg.user;
lnd-key.user = "lnd"; lnd-key.user = cfg.user;
lnd-cert.user = "lnd"; lnd-cert.user = cfg.user;
lnd-cert.permissions = "0444"; # world readable lnd-cert.permissions = "0444"; # world readable
}; };
}; };

2
modules/onion-addresses.nix
View File

@ -84,7 +84,7 @@ in {
${concatMapStrings (service: '' ${concatMapStrings (service: ''
onionFile=/var/lib/tor/onion/${service}/hostname onionFile=/var/lib/tor/onion/${service}/hostname
if [[ -e $onionFile ]]; then if [[ -e $onionFile ]]; then
install -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile ${service} install -D -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile services/${service}
fi fi
'') cfg.services} '') cfg.services}
''; '';

2
modules/onion-services.nix
View File

@ -94,7 +94,7 @@ in {
in srv.public && srv.enable in srv.public && srv.enable
) services; ) services;
in genAttrs publicServices' (service: { in genAttrs publicServices' (service: {
getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}"; getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/services/${service}";
}); });
} }

2
modules/recurring-donations.nix
View File

@ -100,7 +100,7 @@ in {
users.users.recurring-donations = { users.users.recurring-donations = {
group = "recurring-donations"; group = "recurring-donations";
extraGroups = [ "clightning" ]; extraGroups = [ config.services.clightning.group ];
}; };
users.groups.recurring-donations = {}; users.groups.recurring-donations = {};
}; };

22
modules/spark-wallet.nix
View File

@ -48,17 +48,27 @@ in {
encodes an URL for accessing the web interface. encodes an URL for accessing the web interface.
''; '';
}; };
user = mkOption {
type = types.str;
default = "spark-wallet";
description = "The user as which to run spark-wallet.";
};
group = mkOption {
type = types.str;
default = cfg.user;
description = "The group as which to run spark-wallet.";
};
inherit (nbLib) enforceTor; inherit (nbLib) enforceTor;
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.clightning.enable = true; services.clightning.enable = true;
users.users.spark-wallet = { users.users.${cfg.user} = {
group = "spark-wallet"; group = cfg.group;
extraGroups = [ "clightning" ]; extraGroups = [ config.services.clightning.group ];
}; };
users.groups.spark-wallet = {}; users.groups.${cfg.group} = {};
systemd.services.spark-wallet = { systemd.services.spark-wallet = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -66,7 +76,7 @@ in {
after = [ "clightning.service" ]; after = [ "clightning.service" ];
script = startScript; script = startScript;
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
User = "spark-wallet"; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // (if cfg.enforceTor } // (if cfg.enforceTor
@ -74,6 +84,6 @@ in {
else nbLib.allowAnyIP) else nbLib.allowAnyIP)
// nbLib.nodejs; // nbLib.nodejs;
}; };
nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet"; nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
}; };
} }