diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index bfe5040..6371a6c 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -119,6 +119,11 @@ in { id = 19; connections = [ "nginx" "lightning-charge" ]; }; + recurring-donations = { + id = 20; + # communicates with clightning over lightning-rpc socket + connections = []; + }; }; systemd.services = { diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index ba0f0bf..d8ece9e 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -131,6 +131,8 @@ in { services.nanopos.enforceTor = true; + services.recurring-donations.enforceTor = true; + services.nix-bitcoin-webindex.enforceTor = true; diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 901c8f7..a4f9444 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -11,7 +11,7 @@ let NAME=$1 AMOUNT=$2 echo Attempting to pay $AMOUNT sat to $NAME - INVOICE=$(torsocks curl -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null + INVOICE=$(curl --socks5-hostname ${config.services.tor.client.socksListenAddress} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then echo "ERROR: did not get invoice from tallycoin" return @@ -75,6 +75,7 @@ in { Random delay to add to scheduled time for donation. Default is one day. ''; }; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -95,12 +96,14 @@ in { description = "Run recurring-donations"; requires = [ "clightning.service" ]; after = [ "clightning.service" ]; - path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ]; + path = with pkgs; [ nix-bitcoin.clightning curl sudo jq ]; serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; User = "recurring-donations"; Type = "oneshot"; - } // nix-bitcoin-services.allowTor; + } // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP); }; systemd.timers.recurring-donations = { requires = [ "clightning.service" ];