diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index e59ce69..f3cbf5d 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -168,30 +168,31 @@ in { after = [ "bitcoind.service" ]; path = [ pkgs.sudo ]; serviceConfig = nbLib.defaultHardening // { - ExecStartPre = nbLib.privileged '' + ExecStartPre = nbLib.privileged "joinmarket-create-config" '' install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg sed -i \ "s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \ '${cfg.dataDir}/joinmarket.cfg' ''; # Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet - ExecStartPost = mkIf (bitcoind.network == "mainnet") (nbLib.privileged '' - walletname=wallet.jmdat - wallet=${cfg.dataDir}/wallets/$walletname - if [[ ! -f $wallet ]]; then - echo "Create wallet" - pw=$(cat "${secretsDir}"/jm-wallet-password) - cd ${cfg.dataDir} - if ! sudo -u ${cfg.user} ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \ - | grep 'recovery_seed' \ - | cut -d ':' -f2 \ - | (umask u=r,go=; cat > "${secretsDir}/jm-wallet-seed"); then - echo "wallet creation failed" - rm -f "$wallet" "${secretsDir}/jm-wallet-seed" - exit 1 + ExecStartPost = mkIf (bitcoind.network == "mainnet") + (nbLib.privileged "joinmarket-create-wallet" '' + walletname=wallet.jmdat + wallet=${cfg.dataDir}/wallets/$walletname + if [[ ! -f $wallet ]]; then + echo "Create wallet" + pw=$(cat "${secretsDir}"/jm-wallet-password) + cd ${cfg.dataDir} + if ! sudo -u ${cfg.user} ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \ + | grep 'recovery_seed' \ + | cut -d ':' -f2 \ + | (umask u=r,go=; cat > "${secretsDir}/jm-wallet-seed"); then + echo "wallet creation failed" + rm -f "$wallet" "${secretsDir}/jm-wallet-seed" + exit 1 + fi fi - fi - ''); + ''); ExecStart = "${nbPkgs.joinmarket}/bin/joinmarketd"; WorkingDirectory = cfg.dataDir; # The service creates 'commitmentlist' in the working dir User = cfg.user; diff --git a/modules/lnd.nix b/modules/lnd.nix index bff7d4a..930d7d4 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -190,7 +190,7 @@ in { restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1"; in [ # Run fully privileged for secrets dir write access - "+${nbLib.script '' + (nbLib.privileged "lnd-create-mnemonic" '' attempts=250 while ! { exec 3>/dev/tcp/${cfg.restAddress}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } @@ -206,8 +206,8 @@ in { -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" fi chown lnd: "$mnemonic" - ''}" - "${nbLib.script '' + '') + (nbLib.script "lnd-create-wallet" '' if [[ ! -f ${networkDir}/wallet.db ]]; then echo Create lnd wallet @@ -240,7 +240,7 @@ in { '') # Run fully privileged for chown - "+${nbLib.script '' + (nbLib.privileged "lnd-create-macaroons" '' umask ug=r,o= ${lib.concatMapStrings (macaroon: '' echo "Create custom macaroon ${macaroon}" @@ -254,7 +254,7 @@ in { ${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath" chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath" '') (attrNames cfg.macaroons)} - ''}" + '') ]; } // (if cfg.enforceTor then nbLib.allowTor diff --git a/pkgs/lib.nix b/pkgs/lib.nix index c48c30a..b6919cf 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -52,13 +52,13 @@ let self = { ''; }; - script = src: pkgs.writers.writeBash "script" '' + script = name: src: pkgs.writers.writeBash name '' set -eo pipefail ${src} ''; # Used for ExecStart* - privileged = src: "+${self.script src}"; + privileged = name: src: "+${self.script name src}"; cliExec = mkOption { # Used by netns-isolation to execute the cli in the service's private netns