nix-bitcoin/modules/onion-addresses.nix

# This module enables unprivileged users to read onion addresses.
# By default, onion addresses in /var/lib/tor/onion are only readable by the
# tor user.
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
# and sets permissions according to option 'access'.

{ config, lib, ... }:

with lib;

let
  cfg = config.nix-bitcoin.onionAddresses;
  inherit (config) nix-bitcoin-services;
in {
  options.nix-bitcoin.onionAddresses = {
    access = mkOption {
      type = with types; attrsOf (listOf str);
      default = {};
      description = ''
        This option controls who is allowed to access onion addresses.
        For example, the following allows user 'myuser' to access bitcoind
        and clightning onion addresses:
        {
          "myuser" = [ "bitcoind" "clightning" ];
        };
        The onion hostnames can then be read from
        /var/lib/onion-addresses/myuser.
      '';
    };
    dataDir = mkOption {
      readOnly = true;
      default = "/var/lib/onion-addresses";
    };
  };

  config = mkIf (cfg.access != {}) {
    systemd.services.onion-addresses = {
      wantedBy = [ "tor.service" ];
      bindsTo = [ "tor.service" ];
      after = [ "tor.service" ];
      serviceConfig = nix-bitcoin-services.defaultHardening // {
        Type = "oneshot";
        RemainAfterExit = true;
        StateDirectory = "onion-addresses";
        PrivateNetwork = "true"; # This service needs no network access
        PrivateUsers = "false";
        CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
      };
      script = ''
        # Wait until tor is up
        until [[ -e /var/lib/tor/state ]]; do sleep 0.1; done

        cd ${cfg.dataDir}
        rm -rf *

        ${concatMapStrings
          (user: ''
            mkdir -p -m 0700 ${user}
            chown ${user} ${user}
            ${concatMapStrings
              (service: ''
                onionFile=/var/lib/tor/onion/${service}/hostname
                if [[ -e $onionFile ]]; then
                  cp $onionFile ${user}/${service}
                  chown ${user} ${user}/${service}
                fi
              '')
              cfg.access.${user}
            }
          '')
          (builtins.attrNames cfg.access)
        }
      '';
    };
  };
}
rename onion-chef -> nix-bitcoin.onionAddresses This clarifies its function. 2021-01-14 04:24:10 -08:00			`# This module enables unprivileged users to read onion addresses.`
			`# By default, onion addresses in /var/lib/tor/onion are only readable by the`
			`# tor user.`
			`# The included service copies onion addresses to /var/lib/onion-addresses/<user>/`
			`# and sets permissions according to option 'access'.`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00			`{ config, lib, ... }:`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00
			`with lib;`

			`let`
rename onion-chef -> nix-bitcoin.onionAddresses This clarifies its function. 2021-01-14 04:24:10 -08:00			`cfg = config.nix-bitcoin.onionAddresses;`
add 'nix-bitcoin-services' option 1. Makes the content easily accessible for module users 2. Avoids needlessly recalculating the attrset in every client module 2019-11-27 05:04:23 -08:00			`inherit (config) nix-bitcoin-services;`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`in {`
rename onion-chef -> nix-bitcoin.onionAddresses This clarifies its function. 2021-01-14 04:24:10 -08:00			`options.nix-bitcoin.onionAddresses = {`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`access = mkOption {`
onionAddresses: add more precise type for option 'access' 2021-01-14 04:24:13 -08:00			`type = with types; attrsOf (listOf str);`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`default = {};`
			`description = ''`
onionAddresses: add more precise type for option 'access' 2021-01-14 04:24:13 -08:00			`This option controls who is allowed to access onion addresses.`
			`For example, the following allows user 'myuser' to access bitcoind`
			`and clightning onion addresses:`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`{`
onionAddresses: add more precise type for option 'access' 2021-01-14 04:24:13 -08:00			`"myuser" = [ "bitcoind" "clightning" ];`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`};`
			`The onion hostnames can then be read from`
onionAddresses: add more precise type for option 'access' 2021-01-14 04:24:13 -08:00			`/var/lib/onion-addresses/myuser.`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`'';`
			`};`
onionAddresses: add readonly option 'dataDir' Used by 'onionServices' in a later commit for services that announce their onion address. 2021-01-14 04:24:16 -08:00			`dataDir = mkOption {`
			`readOnly = true;`
			`default = "/var/lib/onion-addresses";`
			`};`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`};`

onionAddresses: remove redundant option 'enable' The service can be disabled via `onion-addresses.access = mkForce {};` Also remove redundant description. 2021-01-14 04:24:12 -08:00			`config = mkIf (cfg.access != {}) {`
rename onion-chef -> nix-bitcoin.onionAddresses This clarifies its function. 2021-01-14 04:24:10 -08:00			`systemd.services.onion-addresses = {`
onion-chef: set RemainAfterExit, fix tor dependency This better fits the semantics of this unit and allows for easier automated testing whether the service is active. wantedBy = bindsTo = after = tor.service is the simplest way to ensure that this unit is always running/restarted in lockstep with tor. Previously, onion-chef would have stayed inactive in the case that tor was stopped and then later restarted. 2019-11-27 05:04:37 -08:00			`wantedBy = [ "tor.service" ];`
			`bindsTo = [ "tor.service" ];`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`after = [ "tor.service" ];`
All modules: Give service config precedence over defaultHardening With '//' the latter takes precedence over the former in case of equally named attributes. 2020-05-05 06:18:41 -07:00			`serviceConfig = nix-bitcoin-services.defaultHardening // {`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`Type = "oneshot";`
onion-chef: set RemainAfterExit, fix tor dependency This better fits the semantics of this unit and allows for easier automated testing whether the service is active. wantedBy = bindsTo = after = tor.service is the simplest way to ensure that this unit is always running/restarted in lockstep with tor. Previously, onion-chef would have stayed inactive in the case that tor was stopped and then later restarted. 2019-11-27 05:04:37 -08:00			`RemainAfterExit = true;`
onionAddresses: use StateDirectory instead of tmpfiles Simplifies the dataDir setup. 2021-01-14 04:24:11 -08:00			`StateDirectory = "onion-addresses";`
webindex & onion-chef: Run non-network-facing services in PrivateNetwork 2020-05-05 06:25:00 -07:00			`PrivateNetwork = "true"; # This service needs no network access`
service hardening: Add PrivateUsers Exceptions in webindex & onion-chef 2020-05-06 01:28:00 -07:00			`PrivateUsers = "false";`
service hardening: Add CapabilityBoundingSets Whitelist with exceptions in webindex and onion-chef 2020-05-05 06:27:07 -07:00			`CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";`
All modules: Give service config precedence over defaultHardening With '//' the latter takes precedence over the former in case of equally named attributes. 2020-05-05 06:18:41 -07:00			`};`
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00			`script = ''`
onionAddresses: improve script - use -e to check for existence of /var/lib/tor/state, use shorter polling interval - clear existing dataDir contents to avoid accumulating obsolete data - use concatMapStrings instead of foldl' 2021-01-14 04:24:15 -08:00			`# Wait until tor is up`
			`until [[ -e /var/lib/tor/state ]]; do sleep 0.1; done`
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00
onionAddresses: add readonly option 'dataDir' Used by 'onionServices' in a later commit for services that announce their onion address. 2021-01-14 04:24:16 -08:00			`cd ${cfg.dataDir}`
onionAddresses: improve script - use -e to check for existence of /var/lib/tor/state, use shorter polling interval - clear existing dataDir contents to avoid accumulating obsolete data - use concatMapStrings instead of foldl' 2021-01-14 04:24:15 -08:00			`rm -rf *`
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00
onionAddresses: improve script - use -e to check for existence of /var/lib/tor/state, use shorter polling interval - clear existing dataDir contents to avoid accumulating obsolete data - use concatMapStrings instead of foldl' 2021-01-14 04:24:15 -08:00			`${concatMapStrings`
			`(user: ''`
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00			`mkdir -p -m 0700 ${user}`
			`chown ${user} ${user}`
onionAddresses: improve script - use -e to check for existence of /var/lib/tor/state, use shorter polling interval - clear existing dataDir contents to avoid accumulating obsolete data - use concatMapStrings instead of foldl' 2021-01-14 04:24:15 -08:00			`${concatMapStrings`
			`(service: ''`
			`onionFile=/var/lib/tor/onion/${service}/hostname`
			`if [[ -e $onionFile ]]; then`
			`cp $onionFile ${user}/${service}`
			`chown ${user} ${user}/${service}`
			`fi`
			`'')`
			`cfg.access.${user}`
			`}`
			`'')`
onionAddresses: use service 'script' option This also makes the script stop on errors. 2021-01-14 04:24:14 -08:00			`(builtins.attrNames cfg.access)`
			`}`
			`'';`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 07:46:13 -07:00			`};`
			`};`
			`}`