move enforceTor logic to service modules

This enables tor support for services without using secure-node.nix
This commit is contained in:
Erik Arvstedt 2020-10-29 21:20:27 +01:00
parent 0cc8caa737
commit e0675cb256
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
6 changed files with 9 additions and 21 deletions

View File

@ -182,7 +182,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
description = "Connect through SOCKS5 proxy"; description = "Connect through SOCKS5 proxy";
}; };
listen = mkOption { listen = mkOption {

View File

@ -38,12 +38,12 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
description = "Set a socks proxy to use to connect to Tor nodes (or for all connections if *always-use-proxy* is set)"; description = "Set a socks proxy to use to connect to Tor nodes (or for all connections if *always-use-proxy* is set)";
}; };
always-use-proxy = mkOption { always-use-proxy = mkOption {
type = types.bool; type = types.bool;
default = false; default = cfg.enforceTor;
description = '' description = ''
Always use the *proxy*, even to connect to normal IP addresses (you can still connect to Unix domain sockets manually). This also disables all DNS lookups, to avoid leaking information. Always use the *proxy*, even to connect to normal IP addresses (you can still connect to Unix domain sockets manually). This also disables all DNS lookups, to avoid leaking information.
''; '';

View File

@ -38,7 +38,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
description = "host:port of SOCKS5 proxy for connnecting to the loop server."; description = "host:port of SOCKS5 proxy for connnecting to the loop server.";
}; };
extraConfig = mkOption { extraConfig = mkOption {

View File

@ -160,7 +160,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
description = "Connect through SOCKS5 proxy"; description = "Connect through SOCKS5 proxy";
}; };
listen = mkOption { listen = mkOption {

View File

@ -91,7 +91,7 @@ in {
}; };
tor-socks = mkOption { tor-socks = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
description = "Set a socks proxy to use to connect to Tor nodes"; description = "Set a socks proxy to use to connect to Tor nodes";
}; };
announce-tor = mkOption { announce-tor = mkOption {

View File

@ -54,7 +54,6 @@ in {
enable = true; enable = true;
listen = true; listen = true;
dataDirReadableByGroup = mkIf cfg.electrs.high-memory true; dataDirReadableByGroup = mkIf cfg.electrs.high-memory true;
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true; enforceTor = true;
port = 8333; port = 8333;
assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6"; assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
@ -69,11 +68,7 @@ in {
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; }; services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
# clightning # clightning
services.clightning = { services.clightning.enforceTor = true;
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true;
always-use-proxy = true;
};
services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService { services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService {
port = cfg.clightning.onionport; port = cfg.clightning.onionport;
toHost = cfg.clightning.bind-addr; toHost = cfg.clightning.bind-addr;
@ -81,17 +76,11 @@ in {
}); });
# lnd # lnd
services.lnd = { services.lnd.enforceTor = true;
tor-socks = cfg.tor.client.socksListenAddress;
enforceTor = true;
};
services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; }); services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; });
# lightning-loop # lightning-loop
services.lightning-loop = { services.lightning-loop.enforceTor = true;
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true;
};
# liquidd # liquidd
services.liquidd = { services.liquidd = {
@ -99,7 +88,6 @@ in {
prune = 1000; prune = 1000;
validatepegin = true; validatepegin = true;
listen = true; listen = true;
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true; enforceTor = true;
port = 7042; port = 7042;
}; };