fort-nix/nix-bitcoin
1
1
Fork 0
mirror of https://github.com/fort-nix/nix-bitcoin.git synced 2024-11-10 06:01:25 +03:00
Code Issues Packages Projects Releases Wiki Activity

All modules: Give service config precedence over defaultHardening

Browse Source 
With '//' the latter takes precedence over the former in case of
equally named attributes.
This commit is contained in:
nixbitcoin 2020-05-05 15:18:41 +02:00
parent 0ac1e496b2
commit 7c70dd43ac
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
11 changed files with 24 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/bitcoind.nix
View File

@ -282,7 +282,7 @@ in {
sleep 0.05
done
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}";
Group = "${cfg.group}";
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
@ -291,8 +291,7 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP)
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol;
@ -320,11 +319,10 @@ in {
fi
done
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}";
Group = "${cfg.group}";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
} // nix-bitcoin-services.allowTor;
};
users.users.${cfg.user} = {

5
modules/clightning.nix
View File

@ -93,14 +93,13 @@ in {
chmod 600 ${cfg.dataDir}/config
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);

5
modules/electrs.nix
View File

@ -74,7 +74,7 @@ in {
echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
> electrs.toml
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
RuntimeDirectory = "electrs";
RuntimeDirectoryMode = "700";
WorkingDirectory = "/run/electrs";
@ -96,8 +96,7 @@ in {
Group = cfg.group;
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);

5
modules/lightning-charge.nix
View File

@ -50,15 +50,14 @@ in {
chmod 600 ${cfg.dataDir}/lightning-charge.db
fi
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
User = user;
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
} // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
nix-bitcoin.secrets.lightning-charge-env.user = user;

5
modules/liquid.nix
View File

@ -215,7 +215,7 @@ in {
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
Type = "simple";
User = "${cfg.user}";
Group = "${cfg.group}";
@ -226,8 +226,7 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);

5
modules/lnd.nix
View File

@ -91,14 +91,13 @@ in {
chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
'';
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
User = "lnd";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ

5
modules/nanopos.nix
View File

@ -58,14 +58,13 @@ in {
wantedBy = [ "multi-user.target" ];
requires = [ "lightning-charge.service" ];
after = [ "lightning-charge.service" ];
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
User = "nanopos";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
} // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
users.users.nanopos = {

5
modules/nix-bitcoin-webindex.nix
View File

@ -81,15 +81,14 @@ in {
jq
sudo
];
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}";
User = "root";
Type = "simple";
RemainAfterExit="yes";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);

4
modules/onion-chef.nix
View File

@ -73,11 +73,11 @@ in {
wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
Type = "oneshot";
RemainAfterExit = true;
} // nix-bitcoin-services.defaultHardening;
};
};
};
}

5
modules/recurring-donations.nix
View File

@ -90,12 +90,11 @@ in {
requires = [ "clightning.service" ];
after = [ "clightning.service" ];
path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ];
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations";
Type = "oneshot";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
} // nix-bitcoin-services.allowTor;
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

5
modules/spark-wallet.nix
View File

@ -71,14 +71,13 @@ in {
wantedBy = [ "multi-user.target" ];
requires = [ "clightning.service" ] ++ onion-chef-service;
after = [ "clightning.service" ] ++ onion-chef-service;
serviceConfig = {
serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
User = "spark-wallet";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
} // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";