electrs: make nginx TLS proxy optional
Electrs users shouldn't be forced to run a TLS proxy.
This commit is contained in:
Erik Arvstedt
parent
acde24ce43
commit
93fd2329b8
|
|
@ -8,6 +8,10 @@ let
|
||||||
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
|
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
|
||||||
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
|
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
|
||||||
in {
|
in {
|
||||||
|
imports = [
|
||||||
|
(mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
|
||||||
|
];
|
||||||
|
|
||||||
options.services.electrs = {
|
options.services.electrs = {
|
||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
|
|
@ -48,19 +52,22 @@ in {
|
||||||
default = 50002;
|
default = 50002;
|
||||||
description = "Port on which to listen for tor client connections.";
|
description = "Port on which to listen for tor client connections.";
|
||||||
};
|
};
|
||||||
nginxport = mkOption {
|
TLSProxy = {
|
||||||
|
enable = mkEnableOption "Nginx TLS proxy";
|
||||||
|
port = mkOption {
|
||||||
type = types.ints.u16;
|
type = types.ints.u16;
|
||||||
default = 50003;
|
default = 50003;
|
||||||
description = "Port on which to listen for TLS client connections.";
|
description = "Port on which to listen for TLS client connections.";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
enforceTor = nix-bitcoin-services.enforceTor;
|
enforceTor = nix-bitcoin-services.enforceTor;
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [{
|
||||||
systemd.services.electrs = {
|
systemd.services.electrs = {
|
||||||
description = "Run electrs";
|
description = "Run electrs";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "bitcoind.service" "nginx.service"];
|
requires = [ "bitcoind.service" ];
|
||||||
after = [ "bitcoind.service" ];
|
after = [ "bitcoind.service" ];
|
||||||
# create shell script to start up electrs safely with password parameter
|
# create shell script to start up electrs safely with password parameter
|
||||||
preStart = ''
|
preStart = ''
|
||||||
|
|
@ -83,16 +90,26 @@ in {
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.${cfg.user} = {
|
||||||
|
description = "electrs User";
|
||||||
|
group = cfg.group;
|
||||||
|
extraGroups = [ "bitcoinrpc" "bitcoin"];
|
||||||
|
home = cfg.dataDir;
|
||||||
|
};
|
||||||
|
users.groups.${cfg.group} = {};
|
||||||
|
}
|
||||||
|
|
||||||
|
(mkIf cfg.TLSProxy.enable {
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
appendConfig = ''
|
appendConfig = ''
|
||||||
stream {
|
stream {
|
||||||
upstream electrs {
|
upstream electrs {
|
||||||
server 127.0.0.1:${toString config.services.electrs.port};
|
server 127.0.0.1:${toString cfg.port};
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen ${toString config.services.electrs.nginxport} ssl;
|
listen ${toString cfg.TLSProxy.port} ssl;
|
||||||
proxy_pass electrs;
|
proxy_pass electrs;
|
||||||
|
|
||||||
ssl_certificate ${secretsDir}/nginx-cert;
|
ssl_certificate ${secretsDir}/nginx-cert;
|
||||||
|
|
@ -105,19 +122,13 @@ in {
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
systemd.services.nginx = {
|
systemd.services = {
|
||||||
requires = [ "nix-bitcoin-secrets.target" ];
|
electrs.wants = [ "nginx.service" ];
|
||||||
after = [ "nix-bitcoin-secrets.target" ];
|
nginx = {
|
||||||
|
requires = [ "nix-bitcoin-secrets.target" ];
|
||||||
|
after = [ "nix-bitcoin-secrets.target" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
|
||||||
description = "electrs User";
|
|
||||||
group = cfg.group;
|
|
||||||
extraGroups = [ "bitcoinrpc" "bitcoin"];
|
|
||||||
home = cfg.dataDir;
|
|
||||||
};
|
|
||||||
users.groups.${cfg.group} = {};
|
|
||||||
|
|
||||||
nix-bitcoin.secrets = rec {
|
nix-bitcoin.secrets = rec {
|
||||||
nginx-key = {
|
nginx-key = {
|
||||||
user = "nginx";
|
user = "nginx";
|
||||||
|
|
@ -125,5 +136,6 @@ in {
|
||||||
};
|
};
|
||||||
nginx-cert = nginx-key;
|
nginx-cert = nginx-key;
|
||||||
};
|
};
|
||||||
};
|
})
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -145,10 +145,11 @@ in {
|
||||||
services.electrs.port = 50001;
|
services.electrs.port = 50001;
|
||||||
services.electrs.enforceTor = true;
|
services.electrs.enforceTor = true;
|
||||||
services.electrs.onionport = 50002;
|
services.electrs.onionport = 50002;
|
||||||
services.electrs.nginxport = 50003;
|
services.electrs.TLSProxy.enable = true;
|
||||||
|
services.electrs.TLSProxy.port = 50003;
|
||||||
services.tor.hiddenServices.electrs = {
|
services.tor.hiddenServices.electrs = {
|
||||||
map = [{
|
map = [{
|
||||||
port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport;
|
port = config.services.electrs.onionport; toPort = config.services.electrs.TLSProxy.port;
|
||||||
}];
|
}];
|
||||||
version = 3;
|
version = 3;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue