lightning-charge: add netns

- Adds lightning-charge to netns-isolation.services - Adds cfg.enforceTor to bring lightning-charge in line with other services - Adds extraArgs option to allow using lightning-charge with network namespaces - Adds host option (defaults to localhost) as target of hidden service
2020-06-10 14:43:03 +00:00 · 2020-06-10 14:43:03 +00:00 · 7369f0a7ec
parent c4ab73d51f
commit 7369f0a7ec
3 changed files with 26 additions and 3 deletions
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -21,6 +21,17 @@ in {
      default = "/var/lib/lightning-charge";
      description = "The data directory for lightning-charge.";
    };
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = "http server listen address";
+    };
+    extraArgs = mkOption {
+      type = types.separatedString " ";
+      default = "";
+      description = "Extra command line arguments passed to lightning-charge.";
+    };
+    enforceTor =  nix-bitcoin-services.enforceTor;
  };

  config = mkIf cfg.enable {
@ -60,13 +71,15 @@ in {
          # Needed to access clightning.dataDir in preStart
          PermissionsStartOnly = "true";
          EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
-          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
+          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db -i ${cfg.host} ${cfg.extraArgs}";
          User = user;
          Restart = "on-failure";
          RestartSec = "10s";
          ReadWritePaths = "${cfg.dataDir}";
-      } // nix-bitcoin-services.nodejs
-        // nix-bitcoin-services.allowTor;
+      } // (if cfg.enforceTor
+            then nix-bitcoin-services.allowTor
+            else nix-bitcoin-services.allowAnyIP)
+        // nix-bitcoin-services.nodejs;
    };
    nix-bitcoin.secrets.lightning-charge-env.user = user;
  };
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -110,6 +110,11 @@ in {
          # communicates with clightning over lightning-rpc socket
          connections = [];
        };
+        lightning-charge = {
+          id = 18;
+          # communicates with clightning over lightning-rpc socket
+          connections = [];
+        };
      };

      systemd.services = {
@ -263,6 +268,9 @@ in {
        extraArgs = "--no-tls";
      };

+      # lightning-charge: Custom netns configs
+      services.lightning-charge.host = mkIf config.services.lightning-charge.enable netns.lightning-charge.address;
+
    })
    # Custom netns config option values if netns-isolation not enabled
    (mkIf (!cfg.enable) {
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -127,6 +127,8 @@ in {
      enforceTor = true;
    };

+    services.lightning-charge.enforceTor = true;
+
    services.nix-bitcoin-webindex.enforceTor = true;