diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 8e30664..234846e 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -187,6 +187,7 @@ in { chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}' fi cp '${configFile}' '${cfg.dataDir}/bitcoin.conf' + chmod o-rw '${cfg.dataDir}/bitcoin.conf' echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf' ''; serviceConfig = { diff --git a/modules/clightning.nix b/modules/clightning.nix index a8cbb4c..f971e07 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.clightning; - home = "/var/lib/clightning"; configFile = pkgs.writeText "config" '' autolisten=false network=bitcoin @@ -32,16 +31,25 @@ in { Bitcoin RPC user ''; }; + dataDir = mkOption { + type = types.path; + default = "/var/lib/clightning"; + description = "The data directory for bitcoind."; + }; }; config = mkIf cfg.enable { users.users.clightning = { description = "clightning User"; - createHome = true; + group = "clightning"; extraGroups = [ "bitcoinrpc" "keys" ]; - inherit home; + home = cfg.dataDir; }; + users.groups.clightning = { + name = "clightning"; + }; + systemd.services.clightning = { description = "Run clightningd"; path = [ pkgs.bash pkgs.clightning pkgs.bitcoin ]; @@ -49,15 +57,19 @@ in { requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' - mkdir -p ${home}/.lightning - rm -f ${home}/.lightning/config - cp ${configFile} ${home}/.lightning/config - chmod +w ${home}/.lightning/config - echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${home}/.lightning/config' + mkdir -m 0770 -p ${cfg.dataDir} + rm -f ${cfg.dataDir}/config + chown 'clightning:clightning' '${cfg.dataDir}' + cp ${configFile} ${cfg.dataDir}/config + chown 'clightning:clightning' '${cfg.dataDir}/config' + chmod +w ${cfg.dataDir}/config + chmod o-rw ${cfg.dataDir}/config + echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' ''; serviceConfig = { - ExecStart = "${pkgs.clightning}/bin/lightningd"; + PermissionsStartOnly = "true"; + ExecStart = "${pkgs.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; diff --git a/modules/nixbitcoin.nix b/modules/nixbitcoin.nix index a5ef907..9707368 100644 --- a/modules/nixbitcoin.nix +++ b/modules/nixbitcoin.nix @@ -23,6 +23,7 @@ in { }; config = mkIf cfg.enable { + # Add bitcoinrpc group users.groups.bitcoinrpc = {}; # Tor @@ -69,15 +70,28 @@ in { }; # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.guest = { + users.users.operator = { isNormalUser = true; + extraGroups = [ "clightning" config.services.bitcoind.group ]; + }; + environment.interactiveShellInit = '' + alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}' + alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}' + ''; + # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket + # https://github.com/ElementsProject/lightning/issues/1366 + security.sudo.configFile = '' + operator ALL=(clightning) NOPASSWD: ALL + ''; + + # Give root ssh access to the operator account systemd.services.copy-root-authorized-keys = { description = "Copy root authorized keys"; wantedBy = [ "multi-user.target" ]; path = [ ]; serviceConfig = { - ExecStart = "${pkgs.bash}/bin/bash -c \"mkdir -p ${config.users.users.guest.home}/.ssh && cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.guest.home}/.ssh/authorized_keys && chown -R guest ${config.users.users.guest.home}/.ssh\""; + ExecStart = "${pkgs.bash}/bin/bash -c \"mkdir -p ${config.users.users.operator.home}/.ssh && cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys && chown -R operator ${config.users.users.operator.home}/.ssh\""; user = "root"; type = "oneshot"; };