add nix-bitcoin.onionServices
This commit is contained in:
parent
fffe988248
commit
05b5402bb1
@ -25,6 +25,7 @@ with lib;
|
|||||||
./versioning.nix
|
./versioning.nix
|
||||||
./security.nix
|
./security.nix
|
||||||
./onion-addresses.nix
|
./onion-addresses.nix
|
||||||
|
./onion-services.nix
|
||||||
./netns-isolation.nix
|
./netns-isolation.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
];
|
];
|
||||||
|
103
modules/onion-services.nix
Normal file
103
modules/onion-services.nix
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
# This module creates onion-services for NixOS services.
|
||||||
|
# An onion service can be enabled for every service that defines
|
||||||
|
# options 'address', 'port' and optionally 'getPublicAddressCmd'.
|
||||||
|
#
|
||||||
|
# See it in use at ./presets/enable-tor.nix
|
||||||
|
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.nix-bitcoin.onionServices;
|
||||||
|
|
||||||
|
services = builtins.attrNames cfg;
|
||||||
|
|
||||||
|
activeServices = builtins.filter (service:
|
||||||
|
config.services.${service}.enable && cfg.${service}.enable
|
||||||
|
) services;
|
||||||
|
|
||||||
|
publicServices = builtins.filter (service: cfg.${service}.public) activeServices;
|
||||||
|
in {
|
||||||
|
options.nix-bitcoin.onionServices = mkOption {
|
||||||
|
default = {};
|
||||||
|
type = with types; attrsOf (submodule (
|
||||||
|
{ config, ... }: {
|
||||||
|
options = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = config.public;
|
||||||
|
description = ''
|
||||||
|
Create an onion service for the given service.
|
||||||
|
The service must define options 'address' and 'port'.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
public = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Make the onion address accessible to the service.
|
||||||
|
If enabled, the onion service is automatically enabled.
|
||||||
|
Only available for services that define option `getPublicAddressCmd`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
externalPort = mkOption {
|
||||||
|
type = types.nullOr types.port;
|
||||||
|
default = null;
|
||||||
|
description = "Override the external port of the onion service.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
));
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkMerge [
|
||||||
|
(mkIf (cfg != {}) {
|
||||||
|
# Define hidden services
|
||||||
|
services.tor = {
|
||||||
|
enable = true;
|
||||||
|
hiddenServices = genAttrs activeServices (name:
|
||||||
|
let
|
||||||
|
service = config.services.${name};
|
||||||
|
inherit (cfg.${name}) externalPort;
|
||||||
|
in {
|
||||||
|
map = [{
|
||||||
|
port = if externalPort != null then externalPort else service.port;
|
||||||
|
toPort = service.port;
|
||||||
|
toHost = if service.address == "0.0.0.0" then "127.0.0.1" else service.address;
|
||||||
|
}];
|
||||||
|
version = 3;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable public services to access their own onion addresses
|
||||||
|
nix-bitcoin.onionAddresses.access = (
|
||||||
|
genAttrs publicServices singleton
|
||||||
|
) // {
|
||||||
|
# Allow the operator user to access onion addresses for all active services
|
||||||
|
${config.nix-bitcoin.operator.name} = mkIf config.nix-bitcoin.operator.enable activeServices;
|
||||||
|
};
|
||||||
|
systemd.services = let
|
||||||
|
onionAddresses = [ "onion-addresses.service" ];
|
||||||
|
in genAttrs publicServices (service: {
|
||||||
|
requires = onionAddresses;
|
||||||
|
after = onionAddresses;
|
||||||
|
});
|
||||||
|
})
|
||||||
|
|
||||||
|
# Set getPublicAddressCmd for public services
|
||||||
|
{
|
||||||
|
services = let
|
||||||
|
# publicServices' doesn't depend on config.services.*.enable,
|
||||||
|
# so we can use it to define config.services without causing infinite recursion
|
||||||
|
publicServices' = builtins.filter (service:
|
||||||
|
let srv = cfg.${service};
|
||||||
|
in srv.public && srv.enable
|
||||||
|
) services;
|
||||||
|
in genAttrs publicServices' (service: {
|
||||||
|
getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}/${service}";
|
||||||
|
});
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user