2021-01-14 15:24:10 +03:00
|
|
|
# This module enables unprivileged users to read onion addresses.
|
|
|
|
# By default, onion addresses in /var/lib/tor/onion are only readable by the
|
|
|
|
# tor user.
|
|
|
|
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
|
|
|
|
# and sets permissions according to option 'access'.
|
2019-03-29 17:46:13 +03:00
|
|
|
|
2021-01-14 15:24:14 +03:00
|
|
|
{ config, lib, ... }:
|
2019-03-29 17:46:13 +03:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
2021-01-14 15:24:10 +03:00
|
|
|
options.nix-bitcoin.onionAddresses = {
|
2019-03-29 17:46:13 +03:00
|
|
|
access = mkOption {
|
2021-01-14 15:24:13 +03:00
|
|
|
type = with types; attrsOf (listOf str);
|
2019-03-29 17:46:13 +03:00
|
|
|
default = {};
|
|
|
|
description = ''
|
2021-01-14 15:24:13 +03:00
|
|
|
This option controls who is allowed to access onion addresses.
|
|
|
|
For example, the following allows user 'myuser' to access bitcoind
|
|
|
|
and clightning onion addresses:
|
2019-03-29 17:46:13 +03:00
|
|
|
{
|
2021-01-14 15:24:13 +03:00
|
|
|
"myuser" = [ "bitcoind" "clightning" ];
|
2019-03-29 17:46:13 +03:00
|
|
|
};
|
|
|
|
The onion hostnames can then be read from
|
2021-01-14 15:24:13 +03:00
|
|
|
/var/lib/onion-addresses/myuser.
|
2019-03-29 17:46:13 +03:00
|
|
|
'';
|
|
|
|
};
|
2021-01-30 12:47:05 +03:00
|
|
|
services = mkOption {
|
|
|
|
type = with types; listOf str;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
Services that can access their onion address via file
|
|
|
|
/var/lib/onion-addresses/<service>
|
|
|
|
The file is readable only by the service user.
|
|
|
|
'';
|
|
|
|
};
|
2021-01-14 15:24:16 +03:00
|
|
|
dataDir = mkOption {
|
|
|
|
readOnly = true;
|
|
|
|
default = "/var/lib/onion-addresses";
|
|
|
|
};
|
2019-03-29 17:46:13 +03:00
|
|
|
};
|
|
|
|
|
2021-09-13 14:40:47 +03:00
|
|
|
cfg = config.nix-bitcoin.onionAddresses;
|
|
|
|
nbLib = config.nix-bitcoin.lib;
|
|
|
|
in {
|
|
|
|
inherit options;
|
|
|
|
|
2021-01-30 12:47:05 +03:00
|
|
|
config = mkIf (cfg.access != {} || cfg.services != []) {
|
2021-01-14 15:24:10 +03:00
|
|
|
systemd.services.onion-addresses = {
|
2019-11-27 16:04:37 +03:00
|
|
|
wantedBy = [ "tor.service" ];
|
|
|
|
bindsTo = [ "tor.service" ];
|
2019-03-29 17:46:13 +03:00
|
|
|
after = [ "tor.service" ];
|
2021-02-04 00:44:41 +03:00
|
|
|
serviceConfig = nbLib.defaultHardening // {
|
2019-03-29 17:46:13 +03:00
|
|
|
Type = "oneshot";
|
2019-11-27 16:04:37 +03:00
|
|
|
RemainAfterExit = true;
|
2021-01-14 15:24:11 +03:00
|
|
|
StateDirectory = "onion-addresses";
|
2021-01-30 12:47:05 +03:00
|
|
|
StateDirectoryMode = "771";
|
2020-05-05 16:25:00 +03:00
|
|
|
PrivateNetwork = "true"; # This service needs no network access
|
2020-05-06 11:28:00 +03:00
|
|
|
PrivateUsers = "false";
|
2020-05-05 16:27:07 +03:00
|
|
|
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
2020-05-05 16:18:41 +03:00
|
|
|
};
|
2021-01-14 15:24:14 +03:00
|
|
|
script = ''
|
2021-01-14 15:24:15 +03:00
|
|
|
# Wait until tor is up
|
|
|
|
until [[ -e /var/lib/tor/state ]]; do sleep 0.1; done
|
2021-01-14 15:24:14 +03:00
|
|
|
|
2021-01-14 15:24:16 +03:00
|
|
|
cd ${cfg.dataDir}
|
2021-01-14 15:24:15 +03:00
|
|
|
rm -rf *
|
2021-01-14 15:24:14 +03:00
|
|
|
|
2021-01-14 15:24:15 +03:00
|
|
|
${concatMapStrings
|
|
|
|
(user: ''
|
2021-01-14 15:24:14 +03:00
|
|
|
mkdir -p -m 0700 ${user}
|
|
|
|
chown ${user} ${user}
|
2021-01-14 15:24:15 +03:00
|
|
|
${concatMapStrings
|
|
|
|
(service: ''
|
|
|
|
onionFile=/var/lib/tor/onion/${service}/hostname
|
|
|
|
if [[ -e $onionFile ]]; then
|
|
|
|
cp $onionFile ${user}/${service}
|
|
|
|
chown ${user} ${user}/${service}
|
|
|
|
fi
|
|
|
|
'')
|
|
|
|
cfg.access.${user}
|
|
|
|
}
|
|
|
|
'')
|
2021-01-14 15:24:14 +03:00
|
|
|
(builtins.attrNames cfg.access)
|
|
|
|
}
|
2021-01-30 12:47:05 +03:00
|
|
|
|
|
|
|
${concatMapStrings (service: ''
|
|
|
|
onionFile=/var/lib/tor/onion/${service}/hostname
|
|
|
|
if [[ -e $onionFile ]]; then
|
2021-02-16 19:53:35 +03:00
|
|
|
install -D -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile services/${service}
|
2021-01-30 12:47:05 +03:00
|
|
|
fi
|
|
|
|
'') cfg.services}
|
2021-01-14 15:24:14 +03:00
|
|
|
'';
|
2019-03-29 17:46:13 +03:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|