mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-22 22:33:46 +03:00
services: add helper fn setAllowedIPAddresses
Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist which doesn't use Tor.
This commit is contained in:
parent
cdf27d9d0c
commit
020433cec6
@ -357,9 +357,7 @@ in {
|
||||
Restart = "on-failure";
|
||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP)
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor
|
||||
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
|
||||
};
|
||||
|
||||
@ -385,7 +383,7 @@ in {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // nbLib.allowTor;
|
||||
} // nbLib.allowLocalIPAddresses;
|
||||
};
|
||||
|
||||
users.users.${cfg.user}.group = cfg.group;
|
||||
|
@ -155,10 +155,7 @@ in {
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = cfg.nbxplorer.dataDir;
|
||||
MemoryDenyWriteExecute = "false";
|
||||
} // (if cfg.nbxplorer.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
);
|
||||
} // nbLib.allowedIPAddresses cfg.nbxplorer.enforceTor;
|
||||
};
|
||||
|
||||
systemd.services.btcpayserver = let
|
||||
@ -204,10 +201,7 @@ in {
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = cfg.btcpayserver.dataDir;
|
||||
MemoryDenyWriteExecute = "false";
|
||||
} // (if cfg.btcpayserver.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
);
|
||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.enforceTor;
|
||||
}; in self;
|
||||
|
||||
users.users.${cfg.nbxplorer.user} = {
|
||||
|
@ -128,10 +128,7 @@ in {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
);
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor;
|
||||
# Wait until the rpc socket appears
|
||||
postStart = ''
|
||||
while [[ ! -e ${cfg.networkDir}/lightning-rpc ]]; do
|
||||
|
@ -102,10 +102,7 @@ in {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
);
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor;
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
|
@ -102,9 +102,7 @@ in {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP);
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor;
|
||||
};
|
||||
|
||||
nix-bitcoin.secrets = {
|
||||
|
@ -100,9 +100,7 @@ in {
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP);
|
||||
} // (nbLib.allowedIPAddresses cfg.enforceTor);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -239,10 +239,7 @@ in {
|
||||
PIDFile = pidFile;
|
||||
Restart = "on-failure";
|
||||
ReadWritePaths = cfg.dataDir;
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
);
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor;
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
|
@ -262,10 +262,8 @@ in {
|
||||
'') (attrNames cfg.macaroons)}
|
||||
'')
|
||||
];
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP
|
||||
) // nbLib.allowAnyProtocol; # For ZMQ
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor
|
||||
// nbLib.allowAnyProtocol; # For ZMQ
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
|
@ -83,9 +83,7 @@ in {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
|
||||
User = "recurring-donations";
|
||||
Type = "oneshot";
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP);
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor;
|
||||
};
|
||||
systemd.timers.recurring-donations = {
|
||||
requires = [ "clightning.service" ];
|
||||
|
@ -79,9 +79,7 @@ in {
|
||||
User = cfg.user;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // (if cfg.enforceTor
|
||||
then nbLib.allowTor
|
||||
else nbLib.allowAnyIP)
|
||||
} // nbLib.allowedIPAddresses cfg.enforceTor
|
||||
// nbLib.nodejs;
|
||||
};
|
||||
nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
|
||||
|
14
pkgs/lib.nix
14
pkgs/lib.nix
@ -35,13 +35,17 @@ let self = {
|
||||
|
||||
# nodejs applications apparently rely on memory write execute
|
||||
nodejs = { MemoryDenyWriteExecute = "false"; };
|
||||
# Allow tor traffic. Allow takes precedence over Deny.
|
||||
allowTor = {
|
||||
|
||||
# Allow takes precedence over Deny.
|
||||
allowLocalIPAddresses = {
|
||||
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
|
||||
};
|
||||
# Allow any traffic
|
||||
allowAnyIP = { IPAddressAllow = "any"; };
|
||||
allowAnyProtocol = { RestrictAddressFamilies = "~"; };
|
||||
allowAllIPAddresses = { IPAddressAllow = "any"; };
|
||||
allowTor = self.allowLocalIPAddresses;
|
||||
allowedIPAddresses = onlyLocal:
|
||||
if onlyLocal
|
||||
then self.allowLocalIPAddresses
|
||||
else self.allowAllIPAddresses;
|
||||
|
||||
enforceTor = mkOption {
|
||||
type = types.bool;
|
||||
|
Loading…
Reference in New Issue
Block a user