All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of equally named attributes.
This commit is contained in:
parent
0ac1e496b2
commit
7c70dd43ac
@ -282,7 +282,7 @@ in {
|
||||
sleep 0.05
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
User = "${cfg.user}";
|
||||
Group = "${cfg.group}";
|
||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||
@ -291,8 +291,7 @@ in {
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP)
|
||||
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol;
|
||||
@ -320,11 +319,10 @@ in {
|
||||
fi
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
User = "${cfg.user}";
|
||||
Group = "${cfg.group}";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.allowTor;
|
||||
} // nix-bitcoin-services.allowTor;
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
|
@ -93,14 +93,13 @@ in {
|
||||
chmod 600 ${cfg.dataDir}/config
|
||||
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
|
||||
User = "clightning";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
|
@ -74,7 +74,7 @@ in {
|
||||
echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
|
||||
> electrs.toml
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
RuntimeDirectory = "electrs";
|
||||
RuntimeDirectoryMode = "700";
|
||||
WorkingDirectory = "/run/electrs";
|
||||
@ -96,8 +96,7 @@ in {
|
||||
Group = cfg.group;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
|
@ -50,15 +50,14 @@ in {
|
||||
chmod 600 ${cfg.dataDir}/lightning-charge.db
|
||||
fi
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
|
||||
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
|
||||
User = user;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.nodejs
|
||||
} // nix-bitcoin-services.nodejs
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
nix-bitcoin.secrets.lightning-charge-env.user = user;
|
||||
|
@ -215,7 +215,7 @@ in {
|
||||
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
|
||||
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
Type = "simple";
|
||||
User = "${cfg.user}";
|
||||
Group = "${cfg.group}";
|
||||
@ -226,8 +226,7 @@ in {
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
|
@ -91,14 +91,13 @@ in {
|
||||
chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf
|
||||
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
|
||||
'';
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
|
||||
User = "lnd";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ
|
||||
|
@ -58,14 +58,13 @@ in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "lightning-charge.service" ];
|
||||
after = [ "lightning-charge.service" ];
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
|
||||
ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
|
||||
User = "nanopos";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.nodejs
|
||||
} // nix-bitcoin-services.nodejs
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
users.users.nanopos = {
|
||||
|
@ -81,15 +81,14 @@ in {
|
||||
jq
|
||||
sudo
|
||||
];
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}";
|
||||
User = "root";
|
||||
Type = "simple";
|
||||
RemainAfterExit="yes";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
|
@ -73,11 +73,11 @@ in {
|
||||
wantedBy = [ "tor.service" ];
|
||||
bindsTo = [ "tor.service" ];
|
||||
after = [ "tor.service" ];
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -90,12 +90,11 @@ in {
|
||||
requires = [ "clightning.service" ];
|
||||
after = [ "clightning.service" ];
|
||||
path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ];
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
|
||||
User = "recurring-donations";
|
||||
Type = "oneshot";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.allowTor;
|
||||
} // nix-bitcoin-services.allowTor;
|
||||
};
|
||||
systemd.timers.recurring-donations = {
|
||||
requires = [ "clightning.service" ];
|
||||
|
@ -71,14 +71,13 @@ in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "clightning.service" ] ++ onion-chef-service;
|
||||
after = [ "clightning.service" ] ++ onion-chef-service;
|
||||
serviceConfig = {
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
|
||||
User = "spark-wallet";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.nodejs
|
||||
} // nix-bitcoin-services.nodejs
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";
|
||||
|
Loading…
Reference in New Issue
Block a user