services: add helper fn setAllowedIPAddresses

Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
This commit is contained in:
Erik Arvstedt 2021-03-22 13:19:45 +01:00
parent cdf27d9d0c
commit 020433cec6
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
11 changed files with 22 additions and 45 deletions

View File

@ -357,9 +357,7 @@ in {
Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP)
} // nbLib.allowedIPAddresses cfg.enforceTor
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
};
@ -385,7 +383,7 @@ in {
User = cfg.user;
Group = cfg.group;
ReadWritePaths = cfg.dataDir;
} // nbLib.allowTor;
} // nbLib.allowLocalIPAddresses;
};
users.users.${cfg.user}.group = cfg.group;

View File

@ -155,10 +155,7 @@ in {
RestartSec = "10s";
ReadWritePaths = cfg.nbxplorer.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.nbxplorer.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.nbxplorer.enforceTor;
};
systemd.services.btcpayserver = let
@ -204,10 +201,7 @@ in {
RestartSec = "10s";
ReadWritePaths = cfg.btcpayserver.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.btcpayserver.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.btcpayserver.enforceTor;
}; in self;
users.users.${cfg.nbxplorer.user} = {

View File

@ -128,10 +128,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
# Wait until the rpc socket appears
postStart = ''
while [[ ! -e ${cfg.networkDir}/lightning-rpc ]]; do

View File

@ -102,10 +102,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
users.users.${cfg.user} = {

View File

@ -102,9 +102,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
nix-bitcoin.secrets = {

View File

@ -100,9 +100,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // (nbLib.allowedIPAddresses cfg.enforceTor);
};
};
}

View File

@ -239,10 +239,7 @@ in {
PIDFile = pidFile;
Restart = "on-failure";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
users.users.${cfg.user} = {

View File

@ -262,10 +262,8 @@ in {
'') (attrNames cfg.macaroons)}
'')
];
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
) // nbLib.allowAnyProtocol; # For ZMQ
} // nbLib.allowedIPAddresses cfg.enforceTor
// nbLib.allowAnyProtocol; # For ZMQ
};
users.users.${cfg.user} = {

View File

@ -83,9 +83,7 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations";
Type = "oneshot";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

View File

@ -79,9 +79,7 @@ in {
User = cfg.user;
Restart = "on-failure";
RestartSec = "10s";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP)
} // nbLib.allowedIPAddresses cfg.enforceTor
// nbLib.nodejs;
};
nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;

View File

@ -35,13 +35,17 @@ let self = {
# nodejs applications apparently rely on memory write execute
nodejs = { MemoryDenyWriteExecute = "false"; };
# Allow tor traffic. Allow takes precedence over Deny.
allowTor = {
# Allow takes precedence over Deny.
allowLocalIPAddresses = {
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
};
# Allow any traffic
allowAnyIP = { IPAddressAllow = "any"; };
allowAnyProtocol = { RestrictAddressFamilies = "~"; };
allowAllIPAddresses = { IPAddressAllow = "any"; };
allowTor = self.allowLocalIPAddresses;
allowedIPAddresses = onlyLocal:
if onlyLocal
then self.allowLocalIPAddresses
else self.allowAllIPAddresses;
enforceTor = mkOption {
type = types.bool;