From 020433cec6c333830439a533c2ed09ea7f01df93 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 22 Mar 2021 13:19:45 +0100
Subject: [PATCH] services: add helper fn setAllowedIPAddresses

Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
---
 modules/bitcoind.nix            |  6 ++----
 modules/btcpayserver.nix        | 10 ++--------
 modules/clightning.nix          |  5 +----
 modules/electrs.nix             |  5 +----
 modules/lightning-loop.nix      |  4 +---
 modules/lightning-pool.nix      |  4 +---
 modules/liquid.nix              |  5 +----
 modules/lnd.nix                 |  6 ++----
 modules/recurring-donations.nix |  4 +---
 modules/spark-wallet.nix        |  4 +---
 pkgs/lib.nix                    | 14 +++++++++-----
 11 files changed, 22 insertions(+), 45 deletions(-)

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index ed43c31..6633f40 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -357,9 +357,7 @@ in {
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
         ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP)
+      } // nbLib.allowedIPAddresses cfg.enforceTor
         // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
     };
 
@@ -385,7 +383,7 @@ in {
         User = cfg.user;
         Group = cfg.group;
         ReadWritePaths = cfg.dataDir;
-      } // nbLib.allowTor;
+      } // nbLib.allowLocalIPAddresses;
     };
 
     users.users.${cfg.user}.group = cfg.group;
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index d529883..7504144 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -155,10 +155,7 @@ in {
         RestartSec = "10s";
         ReadWritePaths = cfg.nbxplorer.dataDir;
         MemoryDenyWriteExecute = "false";
-      } // (if cfg.nbxplorer.enforceTor
-        then nbLib.allowTor
-        else nbLib.allowAnyIP
-      );
+      } // nbLib.allowedIPAddresses cfg.nbxplorer.enforceTor;
     };
 
     systemd.services.btcpayserver = let
@@ -204,10 +201,7 @@ in {
         RestartSec = "10s";
         ReadWritePaths = cfg.btcpayserver.dataDir;
         MemoryDenyWriteExecute = "false";
-      } // (if cfg.btcpayserver.enforceTor
-        then nbLib.allowTor
-        else nbLib.allowAnyIP
-      );
+      } // nbLib.allowedIPAddresses cfg.btcpayserver.enforceTor;
     }; in self;
 
     users.users.${cfg.nbxplorer.user} = {
diff --git a/modules/clightning.nix b/modules/clightning.nix
index 6015b5a..1fbff34 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -128,10 +128,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
       # Wait until the rpc socket appears
       postStart = ''
         while [[ ! -e ${cfg.networkDir}/lightning-rpc ]]; do
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 6e51b59..53a20ad 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -102,10 +102,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
 
     users.users.${cfg.user} = {
diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
index 4ba3022..9d40b9c 100644
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@@ -102,9 +102,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
 
      nix-bitcoin.secrets = {
diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix
index b9d10ca..89dcfec 100644
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@@ -100,9 +100,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // (nbLib.allowedIPAddresses cfg.enforceTor);
     };
   };
 }
diff --git a/modules/liquid.nix b/modules/liquid.nix
index 2c6e2f9..c05278a 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -239,10 +239,7 @@ in {
         PIDFile = pidFile;
         Restart = "on-failure";
         ReadWritePaths = cfg.dataDir;
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        );
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
 
     users.users.${cfg.user} = {
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 18bd166..be59675 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -262,10 +262,8 @@ in {
             '') (attrNames cfg.macaroons)}
           '')
         ];
-      } // (if cfg.enforceTor
-          then nbLib.allowTor
-          else nbLib.allowAnyIP
-        ) // nbLib.allowAnyProtocol;  # For ZMQ
+      } // nbLib.allowedIPAddresses cfg.enforceTor
+        // nbLib.allowAnyProtocol;  # For ZMQ
     };
 
     users.users.${cfg.user} = {
diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix
index 9386cc2..68d48ab 100644
--- a/modules/recurring-donations.nix
+++ b/modules/recurring-donations.nix
@@ -83,9 +83,7 @@ in {
         ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
         User = "recurring-donations";
         Type = "oneshot";
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP);
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
     systemd.timers.recurring-donations = {
       requires = [ "clightning.service" ];
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index 8ffdc21..f9947ec 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -79,9 +79,7 @@ in {
         User = cfg.user;
         Restart = "on-failure";
         RestartSec = "10s";
-      } // (if cfg.enforceTor
-            then nbLib.allowTor
-            else nbLib.allowAnyIP)
+      } // nbLib.allowedIPAddresses cfg.enforceTor
         // nbLib.nodejs;
     };
     nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index b6919cf..bf29b68 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -35,13 +35,17 @@ let self = {
 
   # nodejs applications apparently rely on memory write execute
   nodejs = { MemoryDenyWriteExecute = "false"; };
-  # Allow tor traffic. Allow takes precedence over Deny.
-  allowTor = {
+
+  # Allow takes precedence over Deny.
+  allowLocalIPAddresses = {
     IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
   };
-  # Allow any traffic
-  allowAnyIP = { IPAddressAllow = "any"; };
-  allowAnyProtocol = { RestrictAddressFamilies = "~"; };
+  allowAllIPAddresses = { IPAddressAllow = "any"; };
+  allowTor = self.allowLocalIPAddresses;
+  allowedIPAddresses = onlyLocal:
+    if onlyLocal
+    then self.allowLocalIPAddresses
+    else self.allowAllIPAddresses;
 
   enforceTor = mkOption {
     type = types.bool;