Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
It doesn't make sense for bitcoind users to completely redefine their
config file. Also, it's poorly named and the description is faulty.
This is a breaking change, but this option has probably no actual users.
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.