diff --git a/modules/clightning.nix b/modules/clightning.nix index 23f2307..fa621c4 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -6,7 +6,7 @@ let cfg = config.services.clightning; inherit (config) nix-bitcoin-services; nbPkgs = config.nix-bitcoin.pkgs; - onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []); + onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []); network = config.services.bitcoind.makeNetworkName "bitcoin" "regtest"; configFile = pkgs.writeText "config" '' network=${network} @@ -108,13 +108,13 @@ in { "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" ]; - services.onion-chef.access.clightning = if cfg.announce-tor then [ "clightning" ] else []; + nix-bitcoin.onionAddresses.access.clightning = if cfg.announce-tor then [ "clightning" ] else []; systemd.services.clightning = { description = "Run clightningd"; path = [ nbPkgs.bitcoind ]; wantedBy = [ "multi-user.target" ]; - requires = [ "bitcoind.service" ] ++ onion-chef-service; - after = [ "bitcoind.service" ] ++ onion-chef-service; + requires = [ "bitcoind.service" ] ++ onionAddressesService; + after = [ "bitcoind.service" ] ++ onionAddressesService; preStart = '' cp ${configFile} ${cfg.dataDir}/config chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' @@ -122,7 +122,7 @@ in { rm -f ${cfg.networkDir}/lightning-rpc chmod 640 ${cfg.dataDir}/config echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config' - ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"} + ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-addresses/clightning/clightning) >> '${cfg.dataDir}/config'"} ''; serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${nbPkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; diff --git a/modules/lnd.nix b/modules/lnd.nix index 226b60c..05fe9f6 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -9,7 +9,7 @@ let bitcoind = config.services.bitcoind; bitcoindRpcAddress = bitcoind.rpc.address; - onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []); + onionAddressesService = (if cfg.announce-tor then [ "onion-addresses.service" ] else []); networkDir = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}"; configFile = pkgs.writeText "lnd.conf" '' datadir=${cfg.dataDir} @@ -165,16 +165,16 @@ in { zmqpubrawtx = "tcp://${bitcoindRpcAddress}:28333"; }; - services.onion-chef.access.lnd = if cfg.announce-tor then [ "lnd" ] else []; + nix-bitcoin.onionAddresses.access.lnd = if cfg.announce-tor then [ "lnd" ] else []; systemd.services.lnd = { description = "Run LND"; wantedBy = [ "multi-user.target" ]; - requires = [ "bitcoind.service" ] ++ onion-chef-service; - after = [ "bitcoind.service" ] ++ onion-chef-service; + requires = [ "bitcoind.service" ] ++ onionAddressesService; + after = [ "bitcoind.service" ] ++ onionAddressesService; preStart = '' install -m600 ${configFile} '${cfg.dataDir}/lnd.conf' echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf' - ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"} + ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-addresses/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"} ''; serviceConfig = nix-bitcoin-services.defaultHardening // { RuntimeDirectory = "lnd"; # Only used to store custom macaroons diff --git a/modules/modules.nix b/modules/modules.nix index 9c2b18d..878b4c6 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -24,9 +24,9 @@ with lib; # Support features ./versioning.nix ./security.nix + ./onion-addresses.nix ./netns-isolation.nix ./backups.nix - ./onion-chef.nix ]; disabledModules = [ "services/networking/bitcoind.nix" ]; diff --git a/modules/nodeinfo.nix b/modules/nodeinfo.nix index 86f4174..254ad06 100644 --- a/modules/nodeinfo.nix +++ b/modules/nodeinfo.nix @@ -7,12 +7,12 @@ let script = pkgs.writeScriptBin "nodeinfo" '' set -eo pipefail - BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)" + BITCOIND_ONION="$(cat /var/lib/onion-addresses/${operatorName}/bitcoind)" echo BITCOIND_ONION="$BITCOIND_ONION" if systemctl is-active --quiet clightning; then CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id') - CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)" + CLIGHTNING_ONION="$(cat /var/lib/onion-addresses/${operatorName}/clightning)" CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735" echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID" echo CLIGHTNING_ONION="$CLIGHTNING_ONION" @@ -24,37 +24,37 @@ let echo LND_NODEID="$LND_NODEID" fi - NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx + NGINX_ONION_FILE=/var/lib/onion-addresses/${operatorName}/nginx if [ -e "$NGINX_ONION_FILE" ]; then NGINX_ONION="$(cat $NGINX_ONION_FILE)" echo NGINX_ONION="$NGINX_ONION" fi - LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd + LIQUIDD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/liquidd if [ -e "$LIQUIDD_ONION_FILE" ]; then LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)" echo LIQUIDD_ONION="$LIQUIDD_ONION" fi - SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet + SPARKWALLET_ONION_FILE=/var/lib/onion-addresses/${operatorName}/spark-wallet if [ -e "$SPARKWALLET_ONION_FILE" ]; then SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)" echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION" fi - ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs + ELECTRS_ONION_FILE=/var/lib/onion-addresses/${operatorName}/electrs if [ -e "$ELECTRS_ONION_FILE" ]; then ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)" echo ELECTRS_ONION="$ELECTRS_ONION" fi - BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver + BTCPAYSERVER_ONION_FILE=/var/lib/onion-addresses/${operatorName}/btcpayserver if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)" echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION" fi - SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd + SSHD_ONION_FILE=/var/lib/onion-addresses/${operatorName}/sshd if [ -e "$SSHD_ONION_FILE" ]; then SSHD_ONION="$(cat $SSHD_ONION_FILE)" echo SSHD_ONION="$SSHD_ONION" diff --git a/modules/onion-chef.nix b/modules/onion-addresses.nix similarity index 73% rename from modules/onion-chef.nix rename to modules/onion-addresses.nix index 2fe3839..01d6ba0 100644 --- a/modules/onion-chef.nix +++ b/modules/onion-addresses.nix @@ -1,17 +1,18 @@ -# The onion chef module allows unprivileged users to read onion hostnames. -# By default the onion hostnames in /var/lib/tor/onion are only readable by the -# tor user. The onion chef copies the onion hostnames into into -# /var/lib/onion-chef and sets permissions according to the access option. +# This module enables unprivileged users to read onion addresses. +# By default, onion addresses in /var/lib/tor/onion are only readable by the +# tor user. +# The included service copies onion addresses to /var/lib/onion-addresses// +# and sets permissions according to option 'access'. { config, lib, pkgs, ... }: with lib; let - cfg = config.services.onion-chef; + cfg = config.nix-bitcoin.onionAddresses; inherit (config) nix-bitcoin-services; - dataDir = "/var/lib/onion-chef/"; - onion-chef-script = pkgs.writeScript "onion-chef.sh" '' + dataDir = "/var/lib/onion-addresses/"; + onion-addresses-script = pkgs.writeScript "onion-addresses.sh" '' # wait until tor is up until ls -l /var/lib/tor/state; do sleep 1; done @@ -42,12 +43,12 @@ let } ''; in { - options.services.onion-chef = { + options.nix-bitcoin.onionAddresses = { enable = mkOption { type = types.bool; default = false; description = '' - If enabled, the onion-chef service will be installed. + If enabled, the onion-addresses service will be installed. ''; }; access = mkOption { @@ -61,7 +62,7 @@ in { "operator" = [ "bitcoind" "clightning" ]; }; The onion hostnames can then be read from - /var/lib/onion-chef/. + /var/lib/onion-addresses/. ''; }; }; @@ -71,13 +72,13 @@ in { "d '${dataDir}' 0755 root root - -" ]; - systemd.services.onion-chef = { - description = "Run onion-chef"; + systemd.services.onion-addresses = { + description = "Run onion-addresses"; wantedBy = [ "tor.service" ]; bindsTo = [ "tor.service" ]; after = [ "tor.service" ]; serviceConfig = nix-bitcoin-services.defaultHardening // { - ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; + ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}"; Type = "oneshot"; RemainAfterExit = true; PrivateNetwork = "true"; # This service needs no network access diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 91f6122..8d77160 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -124,7 +124,7 @@ in { qrencode ]; - services.onion-chef = { + nix-bitcoin.onionAddresses = { enable = true; access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ]; }; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index 091fb23..0e2a12d 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -5,14 +5,14 @@ with lib; let cfg = config.services.spark-wallet; inherit (config) nix-bitcoin-services; - onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); + onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []); # Use wasabi rate provider because the default (bitstamp) doesn't accept # connections through Tor torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}"; startScript = '' ${optionalString cfg.onion-service '' - publicURL="--public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)" + publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)" ''} exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \ --ln-path '${config.services.clightning.networkDir}' \ @@ -72,19 +72,19 @@ in { }]; version = 3; }; - services.onion-chef.enable = cfg.onion-service; - services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else []; + nix-bitcoin.onionAddresses.enable = cfg.onion-service; + nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else []; systemd.services.spark-wallet = { description = "Run spark-wallet"; wantedBy = [ "multi-user.target" ]; - requires = [ "clightning.service" ] ++ onion-chef-service; - after = [ "clightning.service" ] ++ onion-chef-service; + requires = [ "clightning.service" ] ++ onionAddressesService; + after = [ "clightning.service" ] ++ onionAddressesService; script = startScript; serviceConfig = nix-bitcoin-services.defaultHardening // { User = "spark-wallet"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-chef"; + ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses"; } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP) diff --git a/test/tests.py b/test/tests.py index 53165ed..18afd1e 100644 --- a/test/tests.py +++ b/test/tests.py @@ -218,7 +218,7 @@ def _(): @test("secure-node") def _(): - assert_running("onion-chef") + assert_running("onion-addresses") # FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due # to incomplete unit dependencies.