rename onion-chef -> nix-bitcoin.onionAddresses

This clarifies its function.

modules/clightning.nix

@@ -6,7 +6,7 @@ let
   cfg = config.services.clightning;
   inherit (config) nix-bitcoin-services;
   nbPkgs = config.nix-bitcoin.pkgs;
-  onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
+  onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
   network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest";
   configFile = pkgs.writeText "config" ''
     network=${network}
@@ -108,13 +108,13 @@ in {
       "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
     ];
 
-    services.onion-chef.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
+    nix-bitcoin.onionAddresses.access.clightning = if cfg.announce-tor then [ "clightning" ] else [];
     systemd.services.clightning = {
       description = "Run clightningd";
       path  = [ nbPkgs.bitcoind ];
       wantedBy = [ "multi-user.target" ];
-      requires = [ "bitcoind.service" ] ++ onion-chef-service;
-      after = [ "bitcoind.service" ] ++ onion-chef-service;
+      requires = [ "bitcoind.service" ] ++ onionAddressesService;
+      after = [ "bitcoind.service" ] ++ onionAddressesService;
       preStart = ''
         cp ${configFile} ${cfg.dataDir}/config
         chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
@@ -122,7 +122,7 @@ in {
         rm -f ${cfg.networkDir}/lightning-rpc
         chmod 640 ${cfg.dataDir}/config
         echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config'
-        ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"}
+        ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-addresses/clightning/clightning) >> '${cfg.dataDir}/config'"}
         '';
       serviceConfig = nix-bitcoin-services.defaultHardening // {
         ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";

modules/lnd.nix

@@ -9,7 +9,7 @@ let
 
   bitcoind = config.services.bitcoind;
   bitcoindRpcAddress = bitcoind.rpc.address;
-  onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
+  onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []);
   networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}";
   configFile = pkgs.writeText "lnd.conf" ''
     datadir=${cfg.dataDir}
@@ -165,16 +165,16 @@ in {
       zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333";
     };
 
-    services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
+    nix-bitcoin.onionAddresses.access.lnd = if cfg.announce-tor then [ "lnd" ] else [];
     systemd.services.lnd = {
       description = "Run LND";
       wantedBy = [ "multi-user.target" ];
-      requires = [ "bitcoind.service" ] ++ onion-chef-service;
-      after = [ "bitcoind.service" ] ++ onion-chef-service;
+      requires = [ "bitcoind.service" ] ++ onionAddressesService;
+      after = [ "bitcoind.service" ] ++ onionAddressesService;
       preStart = ''
         install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
         echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf'
-        ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
+        ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-addresses/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
       '';
       serviceConfig = nix-bitcoin-services.defaultHardening // {
         RuntimeDirectory = "lnd"; # Only used to store custom macaroons

modules/modules.nix

@@ -24,9 +24,9 @@ with lib;
     # Support features
     ./versioning.nix
     ./security.nix
+    ./onion-addresses.nix
     ./netns-isolation.nix
     ./backups.nix
-    ./onion-chef.nix
   ];
 
   disabledModules = [ "services/networking/bitcoind.nix" ];

modules/nodeinfo.nix

@@ -7,12 +7,12 @@ let
   script = pkgs.writeScriptBin "nodeinfo" ''
     set -eo pipefail
 
-    BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)"
+    BITCOIND_ONION="$(cat /var/lib/onion-addresses/${operatorName}/bitcoind)"
     echo BITCOIND_ONION="$BITCOIND_ONION"
 
     if systemctl is-active --quiet clightning; then
       CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
-      CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)"
+      CLIGHTNING_ONION="$(cat /var/lib/onion-addresses/${operatorName}/clightning)"
       CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
       echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
       echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
@@ -24,37 +24,37 @@ let
       echo LND_NODEID="$LND_NODEID"
     fi
 
-    NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx
+    NGINX_ONION_FILE=/var/lib/onion-addresses/${operatorName}/nginx
     if [ -e "$NGINX_ONION_FILE" ]; then
       NGINX_ONION="$(cat $NGINX_ONION_FILE)"
       echo NGINX_ONION="$NGINX_ONION"
     fi
 
-    LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd
+    LIQUIDD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/liquidd
     if [ -e "$LIQUIDD_ONION_FILE" ]; then
       LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
       echo LIQUIDD_ONION="$LIQUIDD_ONION"
     fi
 
-    SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet
+    SPARKWALLET_ONION_FILE=/var/lib/onion-addresses/${operatorName}/spark-wallet
     if [ -e "$SPARKWALLET_ONION_FILE" ]; then
       SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
       echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
     fi
 
-    ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs
+    ELECTRS_ONION_FILE=/var/lib/onion-addresses/${operatorName}/electrs
     if [ -e "$ELECTRS_ONION_FILE" ]; then
       ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
       echo ELECTRS_ONION="$ELECTRS_ONION"
     fi
 
-    BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver
+    BTCPAYSERVER_ONION_FILE=/var/lib/onion-addresses/${operatorName}/btcpayserver
     if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
       BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
       echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
     fi
 
-    SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
+    SSHD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/sshd
     if [ -e "$SSHD_ONION_FILE" ]; then
     SSHD_ONION="$(cat $SSHD_ONION_FILE)"
     echo SSHD_ONION="$SSHD_ONION"

modules/onion-addresses.nix

@@ -1,17 +1,18 @@
-# The onion chef module allows unprivileged users to read onion hostnames.
-# By default the onion hostnames in /var/lib/tor/onion are only readable by the
-# tor user. The onion chef copies the onion hostnames into into
-# /var/lib/onion-chef and sets permissions according to the access option.
+# This module enables unprivileged users to read onion addresses.
+# By default, onion addresses in /var/lib/tor/onion are only readable by the
+# tor user.
+# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
+# and sets permissions according to option 'access'.
 
 { config, lib, pkgs, ... }:
 
 with lib;
 
 let
-  cfg = config.services.onion-chef;
+  cfg = config.nix-bitcoin.onionAddresses;
   inherit (config) nix-bitcoin-services;
-  dataDir = "/var/lib/onion-chef/";
-  onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
+  dataDir = "/var/lib/onion-addresses/";
+  onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
     # wait until tor is up
     until ls -l /var/lib/tor/state; do sleep 1; done
 
@@ -42,12 +43,12 @@ let
     }
   '';
 in {
-  options.services.onion-chef = {
+  options.nix-bitcoin.onionAddresses = {
     enable = mkOption {
       type = types.bool;
       default = false;
       description = ''
-        If enabled, the onion-chef service will be installed.
+        If enabled, the onion-addresses service will be installed.
       '';
     };
     access = mkOption {
@@ -61,7 +62,7 @@ in {
           "operator" = [ "bitcoind" "clightning" ];
         };
         The onion hostnames can then be read from
-        /var/lib/onion-chef/<user>.
+        /var/lib/onion-addresses/<user>.
       '';
     };
   };
@@ -71,13 +72,13 @@ in {
       "d '${dataDir}' 0755 root root - -"
     ];
 
-    systemd.services.onion-chef = {
-      description = "Run onion-chef";
+    systemd.services.onion-addresses = {
+      description = "Run onion-addresses";
       wantedBy = [ "tor.service" ];
       bindsTo = [ "tor.service" ];
       after = [ "tor.service" ];
       serviceConfig = nix-bitcoin-services.defaultHardening // {
-        ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
+        ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
         Type = "oneshot";
         RemainAfterExit = true;
         PrivateNetwork = "true"; # This service needs no network access

modules/presets/secure-node.nix

@@ -124,7 +124,7 @@ in {
       qrencode
     ];
 
-    services.onion-chef = {
+    nix-bitcoin.onionAddresses = {
       enable = true;
       access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
     };

modules/spark-wallet.nix

@@ -5,14 +5,14 @@ with lib;
 let
   cfg = config.services.spark-wallet;
   inherit (config) nix-bitcoin-services;
-  onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
+  onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []);
 
   # Use wasabi rate provider because the default (bitstamp) doesn't accept
   # connections through Tor
   torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}";
   startScript = ''
     ${optionalString cfg.onion-service ''
-      publicURL="--public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)"
+      publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)"
     ''}
     exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
       --ln-path '${config.services.clightning.networkDir}'  \
@@ -72,19 +72,19 @@ in {
       }];
       version = 3;
     };
-    services.onion-chef.enable = cfg.onion-service;
-    services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
+    nix-bitcoin.onionAddresses.enable = cfg.onion-service;
+    nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
     systemd.services.spark-wallet = {
       description = "Run spark-wallet";
       wantedBy = [ "multi-user.target" ];
-      requires = [ "clightning.service" ] ++ onion-chef-service;
-      after = [ "clightning.service" ]  ++ onion-chef-service;
+      requires = [ "clightning.service" ] ++ onionAddressesService;
+      after = [ "clightning.service" ]  ++ onionAddressesService;
       script = startScript;
       serviceConfig = nix-bitcoin-services.defaultHardening // {
         User = "spark-wallet";
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-chef";
+        ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses";
       } // (if cfg.enforceTor
             then nix-bitcoin-services.allowTor
             else nix-bitcoin-services.allowAnyIP)

test/tests.py

@@ -218,7 +218,7 @@ def _():
 
 @test("secure-node")
 def _():
-    assert_running("onion-chef")
+    assert_running("onion-addresses")
 
     # FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
     # to incomplete unit dependencies.