From e0675cb2564e5eeb41737554c27171c7bac0df1b Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 29 Oct 2020 21:20:27 +0100 Subject: [PATCH] move enforceTor logic to service modules This enables tor support for services without using secure-node.nix --- modules/bitcoind.nix | 2 +- modules/clightning.nix | 4 ++-- modules/lightning-loop.nix | 2 +- modules/liquid.nix | 2 +- modules/lnd.nix | 2 +- modules/presets/secure-node.nix | 18 +++--------------- 6 files changed, 9 insertions(+), 21 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 683b08f..1f3ed98 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -182,7 +182,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = null; + default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; description = "Connect through SOCKS5 proxy"; }; listen = mkOption { diff --git a/modules/clightning.nix b/modules/clightning.nix index 1b560ad..7f50901 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -38,12 +38,12 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = null; + default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; description = "Set a socks proxy to use to connect to Tor nodes (or for all connections if *always-use-proxy* is set)"; }; always-use-proxy = mkOption { type = types.bool; - default = false; + default = cfg.enforceTor; description = '' Always use the *proxy*, even to connect to normal IP addresses (you can still connect to Unix domain sockets manually). This also disables all DNS lookups, to avoid leaking information. ''; diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index bb78f85..f9f8818 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -38,7 +38,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = null; + default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; description = "host:port of SOCKS5 proxy for connnecting to the loop server."; }; extraConfig = mkOption { diff --git a/modules/liquid.nix b/modules/liquid.nix index 5e6b1fb..8f3c2d9 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -160,7 +160,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = null; + default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; description = "Connect through SOCKS5 proxy"; }; listen = mkOption { diff --git a/modules/lnd.nix b/modules/lnd.nix index 143af5e..7e52fd8 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -91,7 +91,7 @@ in { }; tor-socks = mkOption { type = types.nullOr types.str; - default = null; + default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; description = "Set a socks proxy to use to connect to Tor nodes"; }; announce-tor = mkOption { diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 1ff4103..0decc67 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -54,7 +54,6 @@ in { enable = true; listen = true; dataDirReadableByGroup = mkIf cfg.electrs.high-memory true; - proxy = cfg.tor.client.socksListenAddress; enforceTor = true; port = 8333; assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6"; @@ -69,11 +68,7 @@ in { services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; }; # clightning - services.clightning = { - proxy = cfg.tor.client.socksListenAddress; - enforceTor = true; - always-use-proxy = true; - }; + services.clightning.enforceTor = true; services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService { port = cfg.clightning.onionport; toHost = cfg.clightning.bind-addr; @@ -81,17 +76,11 @@ in { }); # lnd - services.lnd = { - tor-socks = cfg.tor.client.socksListenAddress; - enforceTor = true; - }; + services.lnd.enforceTor = true; services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; }); # lightning-loop - services.lightning-loop = { - proxy = cfg.tor.client.socksListenAddress; - enforceTor = true; - }; + services.lightning-loop.enforceTor = true; # liquidd services.liquidd = { @@ -99,7 +88,6 @@ in { prune = 1000; validatepegin = true; listen = true; - proxy = cfg.tor.client.socksListenAddress; enforceTor = true; port = 7042; };