electrs: make nginx TLS proxy optional

Electrs users shouldn't be forced to run a TLS proxy.
This commit is contained in:
Erik Arvstedt 2020-03-04 18:08:49 +01:00
parent acde24ce43
commit 93fd2329b8
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
2 changed files with 33 additions and 20 deletions

View File

@ -8,6 +8,10 @@ let
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
in { in {
imports = [
(mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
];
options.services.electrs = { options.services.electrs = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
@ -48,19 +52,22 @@ in {
default = 50002; default = 50002;
description = "Port on which to listen for tor client connections."; description = "Port on which to listen for tor client connections.";
}; };
nginxport = mkOption { TLSProxy = {
enable = mkEnableOption "Nginx TLS proxy";
port = mkOption {
type = types.ints.u16; type = types.ints.u16;
default = 50003; default = 50003;
description = "Port on which to listen for TLS client connections."; description = "Port on which to listen for TLS client connections.";
};
}; };
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable (mkMerge [{
systemd.services.electrs = { systemd.services.electrs = {
description = "Run electrs"; description = "Run electrs";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" "nginx.service"]; requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
# create shell script to start up electrs safely with password parameter # create shell script to start up electrs safely with password parameter
preStart = '' preStart = ''
@ -83,16 +90,26 @@ in {
); );
}; };
users.users.${cfg.user} = {
description = "electrs User";
group = cfg.group;
extraGroups = [ "bitcoinrpc" "bitcoin"];
home = cfg.dataDir;
};
users.groups.${cfg.group} = {};
}
(mkIf cfg.TLSProxy.enable {
services.nginx = { services.nginx = {
enable = true; enable = true;
appendConfig = '' appendConfig = ''
stream { stream {
upstream electrs { upstream electrs {
server 127.0.0.1:${toString config.services.electrs.port}; server 127.0.0.1:${toString cfg.port};
} }
server { server {
listen ${toString config.services.electrs.nginxport} ssl; listen ${toString cfg.TLSProxy.port} ssl;
proxy_pass electrs; proxy_pass electrs;
ssl_certificate ${secretsDir}/nginx-cert; ssl_certificate ${secretsDir}/nginx-cert;
@ -105,19 +122,13 @@ in {
} }
''; '';
}; };
systemd.services.nginx = { systemd.services = {
requires = [ "nix-bitcoin-secrets.target" ]; electrs.wants = [ "nginx.service" ];
after = [ "nix-bitcoin-secrets.target" ]; nginx = {
requires = [ "nix-bitcoin-secrets.target" ];
after = [ "nix-bitcoin-secrets.target" ];
};
}; };
users.users.${cfg.user} = {
description = "electrs User";
group = cfg.group;
extraGroups = [ "bitcoinrpc" "bitcoin"];
home = cfg.dataDir;
};
users.groups.${cfg.group} = {};
nix-bitcoin.secrets = rec { nix-bitcoin.secrets = rec {
nginx-key = { nginx-key = {
user = "nginx"; user = "nginx";
@ -125,5 +136,6 @@ in {
}; };
nginx-cert = nginx-key; nginx-cert = nginx-key;
}; };
}; })
]);
} }

View File

@ -145,10 +145,11 @@ in {
services.electrs.port = 50001; services.electrs.port = 50001;
services.electrs.enforceTor = true; services.electrs.enforceTor = true;
services.electrs.onionport = 50002; services.electrs.onionport = 50002;
services.electrs.nginxport = 50003; services.electrs.TLSProxy.enable = true;
services.electrs.TLSProxy.port = 50003;
services.tor.hiddenServices.electrs = { services.tor.hiddenServices.electrs = {
map = [{ map = [{
port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport; port = config.services.electrs.onionport; toPort = config.services.electrs.TLSProxy.port;
}]; }];
version = 3; version = 3;
}; };