electrs: make nginx TLS proxy optional

Electrs users shouldn't be forced to run a TLS proxy.
2020-03-04 18:08:49 +01:00 · 2020-03-04 18:08:49 +01:00 · 93fd2329b8
commit 93fd2329b8
parent acde24ce43
2 changed files with 33 additions and 20 deletions
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -8,6 +8,10 @@ let
  index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
  jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
 in {
+  imports = [
+    (mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
+  ];
+
  options.services.electrs = {
    enable = mkOption {
      type = types.bool;
@ -48,19 +52,22 @@ in {
      default = 50002;
      description = "Port on which to listen for tor client connections.";
    };
-    nginxport = mkOption {
+    TLSProxy = {
+      enable = mkEnableOption "Nginx TLS proxy";
+      port = mkOption {
        type = types.ints.u16;
        default = 50003;
        description = "Port on which to listen for TLS client connections.";
+      };
    };
    enforceTor = nix-bitcoin-services.enforceTor;
  };

-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [{
    systemd.services.electrs = {
      description = "Run electrs";
      wantedBy = [ "multi-user.target" ];
-      requires = [ "bitcoind.service" "nginx.service"];
+      requires = [ "bitcoind.service" ];
      after = [ "bitcoind.service" ];
      # create shell script to start up electrs safely with password parameter
      preStart = ''
@ -83,16 +90,26 @@ in {
        );
    };

+    users.users.${cfg.user} = {
+      description = "electrs User";
+      group = cfg.group;
+      extraGroups = [ "bitcoinrpc" "bitcoin"];
+      home = cfg.dataDir;
+    };
+    users.groups.${cfg.group} = {};
+  }
+
+  (mkIf cfg.TLSProxy.enable {
    services.nginx = {
      enable = true;
      appendConfig = ''
        stream {
          upstream electrs {
-            server 127.0.0.1:${toString config.services.electrs.port};
+            server 127.0.0.1:${toString cfg.port};
          }

          server {
-            listen ${toString config.services.electrs.nginxport} ssl;
+            listen ${toString cfg.TLSProxy.port} ssl;
            proxy_pass electrs;

            ssl_certificate ${secretsDir}/nginx-cert;
@ -105,19 +122,13 @@ in {
        }
      '';
    };
-    systemd.services.nginx = {
-      requires = [ "nix-bitcoin-secrets.target" ];
-      after = [ "nix-bitcoin-secrets.target" ];
+    systemd.services = {
+      electrs.wants = [ "nginx.service" ];
+      nginx = {
+        requires = [ "nix-bitcoin-secrets.target" ];
+        after = [ "nix-bitcoin-secrets.target" ];
+      };
    };
-
-    users.users.${cfg.user} = {
-      description = "electrs User";
-      group = cfg.group;
-      extraGroups = [ "bitcoinrpc" "bitcoin"];
-      home = cfg.dataDir;
-    };
-    users.groups.${cfg.group} = {};
-
    nix-bitcoin.secrets = rec {
      nginx-key = {
        user = "nginx";
@ -125,5 +136,6 @@ in {
      };
      nginx-cert = nginx-key;
    };
-  };
+  })
+  ]);
 }
--- a/modules/nix-bitcoin.nix
+++ b/modules/nix-bitcoin.nix
@ -145,10 +145,11 @@ in {
    services.electrs.port = 50001;
    services.electrs.enforceTor = true;
    services.electrs.onionport = 50002;
-    services.electrs.nginxport = 50003;
+    services.electrs.TLSProxy.enable = true;
+    services.electrs.TLSProxy.port = 50003;
    services.tor.hiddenServices.electrs = {
      map = [{
-        port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport;
+        port = config.services.electrs.onionport; toPort = config.services.electrs.TLSProxy.port;
      }];
      version = 3;
    };