greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netns: separate implementation and service configs

Browse Source 
This greatly improves clarity.

Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
This commit is contained in:
Erik Arvstedt 2020-08-21 22:35:59 +02:00
parent d0b8d77de2
commit e385c73256
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 55 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
modules/netns-isolation.nix
View File

@ -75,8 +75,10 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable (mkMerge [
# Prerequisites
# Base infrastructure
{
networking.dhcpcd.denyInterfaces = [ "br0" "br-nb*" "nb-veth*" ]; networking.dhcpcd.denyInterfaces = [ "br0" "br-nb*" "nb-veth*" ];
services.tor.client.socksListenAddress = "${bridgeIp}:9050"; services.tor.client.socksListenAddress = "${bridgeIp}:9050";
networking.firewall.interfaces.br0.allowedTCPPorts = [ 9050 ]; networking.firewall.interfaces.br0.allowedTCPPorts = [ 9050 ];
@ -88,51 +90,6 @@ in {
permissions = "u+rx,g+rx,o-rwx"; permissions = "u+rx,g+rx,o-rwx";
}; };
nix-bitcoin.netns-isolation.services = {
bitcoind = {
id = 12;
};
clightning = {
id = 13;
connections = [ "bitcoind" ];
};
lnd = {
id = 14;
connections = [ "bitcoind" ];
};
liquidd = {
id = 15;
connections = [ "bitcoind" ];
};
electrs = {
id = 16;
connections = [ "bitcoind" ];
};
spark-wallet = {
id = 17;
# communicates with clightning over lightning-rpc socket
};
lightning-charge = {
id = 18;
# communicates with clightning over lightning-rpc socket
};
nanopos = {
id = 19;
connections = [ "nginx" "lightning-charge" ];
};
recurring-donations = {
id = 20;
# communicates with clightning over lightning-rpc socket
};
nginx = {
id = 21;
};
lightning-loop = {
id = 22;
connections = [ "lnd" ];
};
};
systemd.services = { systemd.services = {
netns-bridge = { netns-bridge = {
description = "Create bridge"; description = "Create bridge";
@ -153,8 +110,6 @@ in {
RemainAfterExit = "yes"; RemainAfterExit = "yes";
}; };
}; };
bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
} // } //
(let (let
makeNetnsServices = n: v: let makeNetnsServices = n: v: let
@ -206,8 +161,55 @@ in {
in foldl (services: n: in foldl (services: n:
services // (makeNetnsServices n netns.${n}) services // (makeNetnsServices n netns.${n})
) {} (builtins.attrNames netns)); ) {} (builtins.attrNames netns));
}
# Service-specific config
{
nix-bitcoin.netns-isolation.services = {
bitcoind = {
id = 12;
};
clightning = {
id = 13;
connections = [ "bitcoind" ];
};
lnd = {
id = 14;
connections = [ "bitcoind" ];
};
liquidd = {
id = 15;
connections = [ "bitcoind" ];
};
electrs = {
id = 16;
connections = [ "bitcoind" ];
};
spark-wallet = {
id = 17;
# communicates with clightning over lightning-rpc socket
};
lightning-charge = {
id = 18;
# communicates with clightning over lightning-rpc socket
};
nanopos = {
id = 19;
connections = [ "nginx" "lightning-charge" ];
};
recurring-donations = {
id = 20;
# communicates with clightning over lightning-rpc socket
};
nginx = {
id = 21;
};
lightning-loop = {
id = 22;
connections = [ "lnd" ];
};
};
# bitcoin: Custom netns configs
services.bitcoind = { services.bitcoind = {
bind = netns.bitcoind.address; bind = netns.bitcoind.address;
rpcbind = [ rpcbind = [
@ -221,14 +223,13 @@ in {
netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@" netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@"
''; '';
}; };
systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
# clightning: Custom netns configs
services.clightning = { services.clightning = {
bitcoin-rpcconnect = netns.bitcoind.address; bitcoin-rpcconnect = netns.bitcoind.address;
bind-addr = netns.clightning.address; bind-addr = netns.clightning.address;
}; };
# lnd: Custom netns configs
services.lnd = { services.lnd = {
listen = netns.lnd.address; listen = netns.lnd.address;
rpclisten = [ rpclisten = [
@ -248,7 +249,6 @@ in {
''; '';
}; };
# liquidd: Custom netns configs
services.liquidd = { services.liquidd = {
bind = netns.liquidd.address; bind = netns.liquidd.address;
rpcbind = [ rpcbind = [
@ -267,31 +267,25 @@ in {
''; '';
}; };
# electrs: Custom netns configs
services.electrs = { services.electrs = {
address = netns.electrs.address; address = netns.electrs.address;
daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}"; daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}";
}; };
# spark-wallet: Custom netns configs
services.spark-wallet = { services.spark-wallet = {
host = netns.spark-wallet.address; host = netns.spark-wallet.address;
extraArgs = "--no-tls"; extraArgs = "--no-tls";
}; };
# lightning-charge: Custom netns configs
services.lightning-charge.host = netns.lightning-charge.address; services.lightning-charge.host = netns.lightning-charge.address;
# nanopos: Custom netns configs
services.nanopos = { services.nanopos = {
charged-url = "http://${netns.lightning-charge.address}:9112"; charged-url = "http://${netns.lightning-charge.address}:9112";
host = netns.nanopos.address; host = netns.nanopos.address;
}; };
# nginx: Custom netns configs
services.nix-bitcoin-webindex.host = netns.nginx.address; services.nix-bitcoin-webindex.host = netns.nginx.address;
# loop: Custom netns configs
services.lightning-loop = { services.lightning-loop = {
cli = pkgs.writeScriptBin "loop" cli = pkgs.writeScriptBin "loop"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
@ -299,5 +293,6 @@ in {
netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@" netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@"
''; '';
}; };
}; }
]);
} }