greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lnd: add user & group options

This commit is contained in:
nixbitcoin 2021-02-16 16:50:39 +00:00
parent eddc48ee62
commit 85a1722545
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/lnd.nix
View File

@ -124,7 +124,7 @@ in {
default = pkgs.writeScriptBin "lncli" default = pkgs.writeScriptBin "lncli"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
'' ''
${runAsUser} lnd ${cfg.package}/bin/lncli \ ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
--rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
--tlscertpath '${secretsDir}/lnd-cert' \ --tlscertpath '${secretsDir}/lnd-cert' \
--macaroonpath '${networkDir}/admin.macaroon' "$@" --macaroonpath '${networkDir}/admin.macaroon' "$@"
@ -139,6 +139,16 @@ in {
If left empty, no address is announced. If left empty, no address is announced.
''; '';
}; };
user = mkOption {
type = types.str;
default = "lnd";
description = "The user as which to run LND.";
};
group = mkOption {
type = types.str;
default = cfg.user;
description = "The group as which to run LND.";
};
inherit (nbLib) enforceTor; inherit (nbLib) enforceTor;
}; };
@ -163,7 +173,7 @@ in {
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 lnd lnd - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
]; ];
systemd.services.lnd = { systemd.services.lnd = {
@ -183,7 +193,7 @@ in {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons RuntimeDirectory = "lnd"; # Only used to store custom macaroons
RuntimeDirectoryMode = "711"; RuntimeDirectoryMode = "711";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
User = "lnd"; User = cfg.user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
@ -206,7 +216,7 @@ in {
--cacert ${secretsDir}/lnd-cert \ --cacert ${secretsDir}/lnd-cert \
-X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi fi
chown lnd: "$mnemonic" chown ${cfg.user}: "$mnemonic"
'') '')
(nbLib.script "lnd-create-wallet" '' (nbLib.script "lnd-create-wallet" ''
if [[ ! -f ${networkDir}/wallet.db ]]; then if [[ ! -f ${networkDir}/wallet.db ]]; then
@ -263,21 +273,21 @@ in {
) // nbLib.allowAnyProtocol; # For ZMQ ) // nbLib.allowAnyProtocol; # For ZMQ
}; };
users.users.lnd = { users.users.${cfg.user} = {
group = "lnd"; group = cfg.group;
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
home = cfg.dataDir; # lnd creates .lnd dir in HOME home = cfg.dataDir; # lnd creates .lnd dir in HOME
}; };
users.groups.lnd = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator = { nix-bitcoin.operator = {
groups = [ "lnd" ]; groups = [ cfg.group ];
allowRunAsUsers = [ "lnd" ]; allowRunAsUsers = [ cfg.user ];
}; };
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
lnd-wallet-password.user = "lnd"; lnd-wallet-password.user = cfg.user;
lnd-key.user = "lnd"; lnd-key.user = cfg.user;
lnd-cert.user = "lnd"; lnd-cert.user = cfg.user;
lnd-cert.permissions = "0444"; # world readable lnd-cert.permissions = "0444"; # world readable
}; };
}; };