From 582cb86d7409bf4481fd2fa79b6d53bc136a6a6e Mon Sep 17 00:00:00 2001
From: nixbitcoin
Date: Wed, 10 Jun 2020 14:44:50 +0000
Subject: [PATCH] nanopos: add netns
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
services
- Adds charged-url option to allow using nanopos with network
namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
---
modules/nanopos.nix | 42 +++++++++++++++++++++++++++++---
modules/netns-isolation.nix | 10 ++++++++
modules/nix-bitcoin-webindex.nix | 13 +---------
modules/presets/secure-node.nix | 2 ++
4 files changed, 52 insertions(+), 15 deletions(-)
diff --git a/modules/nanopos.nix b/modules/nanopos.nix
index 91af50c..eb410d0 100644
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@@ -49,6 +49,26 @@ in {
"The items file (see nanopos README).";
'';
};
+ charged-url = mkOption {
+ type = types.str;
+ default = "http://localhost:9112";
+ description = ''
+ "The lightning charge server url.";
+ '';
+ };
+ host = mkOption {
+ type = types.str;
+ default = "127.0.0.1";
+ description = ''
+ "http server listen address.";
+ '';
+ };
+ extraArgs = mkOption {
+ type = types.separatedString " ";
+ default = "";
+ description = "Extra command line arguments passed to nanopos.";
+ };
+ enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@@ -59,6 +79,20 @@ in {
];
environment.systemPackages = [ pkgs.nix-bitcoin.nanopos ];
+
+ services.nginx = {
+ enable = true;
+ virtualHosts."_" = {
+ root = "/var/www";
+ extraConfig = ''
+ location /store/ {
+ proxy_pass http://${toString cfg.host}:${toString cfg.port};
+ rewrite /store/(.*) /$1 break;
+ }
+ '';
+ };
+ };
+
systemd.services.nanopos = {
description = "Run nanopos";
wantedBy = [ "multi-user.target" ];
@@ -66,12 +100,14 @@ in {
after = [ "lightning-charge.service" ];
serviceConfig = nix-bitcoin-services.defaultHardening // {
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
- ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
+ ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -i ${toString cfg.host} -p ${toString cfg.port} -c ${toString cfg.charged-url} --show-bolt11 ${cfg.extraArgs}";
User = "nanopos";
Restart = "on-failure";
RestartSec = "10s";
- } // nix-bitcoin-services.nodejs
- // nix-bitcoin-services.allowTor;
+ } // (if cfg.enforceTor
+ then nix-bitcoin-services.allowTor
+ else nix-bitcoin-services.allowAnyIP)
+ // nix-bitcoin-services.nodejs;
};
users.users.nanopos = {
description = "nanopos User";
diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 130fd3a..bfe5040 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -115,6 +115,10 @@ in {
# communicates with clightning over lightning-rpc socket
connections = [];
};
+ nanopos = {
+ id = 19;
+ connections = [ "nginx" "lightning-charge" ];
+ };
};
systemd.services = {
@@ -271,6 +275,12 @@ in {
# lightning-charge: Custom netns configs
services.lightning-charge.host = mkIf config.services.lightning-charge.enable netns.lightning-charge.address;
+ # nanopos: Custom netns configs
+ services.nanopos = mkIf config.services.nanopos.enable {
+ charged-url = "http://${netns.lightning-charge.address}:9112";
+ host = netns.nanopos.address;
+ };
+
})
# Custom netns config option values if netns-isolation not enabled
(mkIf (!cfg.enable) {
diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix
index 39ba9b9..a259ca1 100644
--- a/modules/nix-bitcoin-webindex.nix
+++ b/modules/nix-bitcoin-webindex.nix
@@ -13,11 +13,7 @@ let
nix-bitcoin
-
-
-
+ ${optionalString config.services.nanopos.enable ''''}
lightning node: CLIGHTNING_ID
@@ -61,12 +57,6 @@ in {
enable = true;
virtualHosts."_" = {
root = "/var/www";
- extraConfig = ''
- location /store/ {
- proxy_pass http://127.0.0.1:${toString config.services.nanopos.port};
- rewrite /store/(.*) /$1 break;
- }
- '';
};
};
services.tor.hiddenServices.nginx = {
@@ -82,7 +72,6 @@ in {
systemd.services.create-web-index = {
description = "Get node info";
wantedBy = [ "multi-user.target" ];
- after = [ "nodeinfo.service" ];
path = with pkgs; [
config.programs.nodeinfo
config.services.clightning.cli
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index c36e4b2..ba0f0bf 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -129,6 +129,8 @@ in {
services.lightning-charge.enforceTor = true;
+ services.nanopos.enforceTor = true;
+
services.nix-bitcoin-webindex.enforceTor = true;