services: add helper fn setAllowedIPAddresses

Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist which doesn't use Tor.
2021-03-22 13:19:45 +01:00 · 2021-03-22 13:19:45 +01:00 · 020433cec6
parent cdf27d9d0c
commit 020433cec6
11 changed files with 22 additions and 45 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -357,9 +357,7 @@ in {
        Restart = "on-failure";
        UMask = mkIf cfg.dataDirReadableByGroup "0027";
        ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP)
+      } // nbLib.allowedIPAddresses cfg.enforceTor
        // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
    };

@ -385,7 +383,7 @@ in {
        User = cfg.user;
        Group = cfg.group;
        ReadWritePaths = cfg.dataDir;
-      } // nbLib.allowTor;
+      } // nbLib.allowLocalIPAddresses;
    };

    users.users.${cfg.user}.group = cfg.group;
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -155,10 +155,7 @@ in {
        RestartSec = "10s";
        ReadWritePaths = cfg.nbxplorer.dataDir;
        MemoryDenyWriteExecute = "false";
-      } // (if cfg.nbxplorer.enforceTor
-        then nbLib.allowTor
-        else nbLib.allowAnyIP
-      );
+      } // nbLib.allowedIPAddresses cfg.nbxplorer.enforceTor;
    };

    systemd.services.btcpayserver = let
@ -204,10 +201,7 @@ in {
        RestartSec = "10s";
        ReadWritePaths = cfg.btcpayserver.dataDir;
        MemoryDenyWriteExecute = "false";
-      } // (if cfg.btcpayserver.enforceTor
-        then nbLib.allowTor
-        else nbLib.allowAnyIP
-      );
+      } // nbLib.allowedIPAddresses cfg.btcpayserver.enforceTor;
    }; in self;

    users.users.${cfg.nbxplorer.user} = {
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -128,10 +128,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
      # Wait until the rpc socket appears
      postStart = ''
        while [[ ! -e ${cfg.networkDir}/lightning-rpc ]]; do
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -102,10 +102,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
    };

    users.users.${cfg.user} = {
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@ -102,9 +102,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
    };

     nix-bitcoin.secrets = {
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@ -100,9 +100,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // (nbLib.allowedIPAddresses cfg.enforceTor);
    };
  };
 }
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -239,10 +239,7 @@ in {
        PIDFile = pidFile;
        Restart = "on-failure";
        ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
    };

    users.users.${cfg.user} = {
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -262,10 +262,8 @@ in {
            '') (attrNames cfg.macaroons)}
          '')
        ];
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        ) // nbLib.allowAnyProtocol;  # For ZMQ
+      } // nbLib.allowedIPAddresses cfg.enforceTor
+        // nbLib.allowAnyProtocol;  # For ZMQ
    };

    users.users.${cfg.user} = {
--- a/modules/recurring-donations.nix
+++ b/modules/recurring-donations.nix
@ -83,9 +83,7 @@ in {
        ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
        User = "recurring-donations";
        Type = "oneshot";
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
    };
    systemd.timers.recurring-donations = {
      requires = [ "clightning.service" ];
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -79,9 +79,7 @@ in {
        User = cfg.user;
        Restart = "on-failure";
        RestartSec = "10s";
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP)
+      } // nbLib.allowedIPAddresses cfg.enforceTor
        // nbLib.nodejs;
    };
    nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -35,13 +35,17 @@ let self = {

  # nodejs applications apparently rely on memory write execute
  nodejs = { MemoryDenyWriteExecute = "false"; };
-  # Allow tor traffic. Allow takes precedence over Deny.
-  allowTor = {
+
+  # Allow takes precedence over Deny.
+  allowLocalIPAddresses = {
    IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
  };
-  # Allow any traffic
-  allowAnyIP = { IPAddressAllow = "any"; };
-  allowAnyProtocol = { RestrictAddressFamilies = "~"; };
+  allowAllIPAddresses = { IPAddressAllow = "any"; };
+  allowTor = self.allowLocalIPAddresses;
+  allowedIPAddresses = onlyLocal:
+    if onlyLocal
+    then self.allowLocalIPAddresses
+    else self.allowAllIPAddresses;

  enforceTor = mkOption {
    type = types.bool;