From 9662c19ab1784d2cc37cbe93e2e75ea35ebd89ca Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sat, 30 Jan 2021 10:47:05 +0100
Subject: [PATCH] onionServices: use actual user name of services

Previously, onionAddresses definitions in onionServices were of the form
onionAddresses.access.<service> = [<service>];

This caused failures for configurations where a service user name was
overridden or for bitcoind whose default user is 'bitcoin' instead of 'bitcoind'.

Now set the equivalent of:
onionAddresses.access.<actualServiceUser> = [<service>];

Implement this via a new option `onionAddresses.services` to make things more
readable and to work around an infinite recursion error in onionServices.
---
 modules/onion-addresses.nix | 19 ++++++++++++++++++-
 modules/onion-services.nix  | 12 ++++++------
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/modules/onion-addresses.nix b/modules/onion-addresses.nix
index f715337..df9c9dc 100644
--- a/modules/onion-addresses.nix
+++ b/modules/onion-addresses.nix
@@ -27,13 +27,22 @@ in {
         /var/lib/onion-addresses/myuser.
       '';
     };
+    services = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = ''
+        Services that can access their onion address via file
+        /var/lib/onion-addresses/<service>
+        The file is readable only by the service user.
+      '';
+    };
     dataDir = mkOption {
       readOnly = true;
       default = "/var/lib/onion-addresses";
     };
   };
 
-  config = mkIf (cfg.access != {}) {
+  config = mkIf (cfg.access != {} || cfg.services != []) {
     systemd.services.onion-addresses = {
       wantedBy = [ "tor.service" ];
       bindsTo = [ "tor.service" ];
@@ -42,6 +51,7 @@ in {
         Type = "oneshot";
         RemainAfterExit = true;
         StateDirectory = "onion-addresses";
+        StateDirectoryMode = "771";
         PrivateNetwork = "true"; # This service needs no network access
         PrivateUsers = "false";
         CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
@@ -70,6 +80,13 @@ in {
           '')
           (builtins.attrNames cfg.access)
         }
+
+        ${concatMapStrings (service: ''
+          onionFile=/var/lib/tor/onion/${service}/hostname
+          if [[ -e $onionFile ]]; then
+            install -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile ${service}
+          fi
+        '') cfg.services}
       '';
     };
   };
diff --git a/modules/onion-services.nix b/modules/onion-services.nix
index f73318f..52c6c2f 100644
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@@ -71,12 +71,12 @@ in {
         );
       };
 
-      # Enable public services to access their own onion addresses
-      nix-bitcoin.onionAddresses.access = (
-        genAttrs publicServices singleton
-      ) // {
+      nix-bitcoin.onionAddresses = {
+        # Enable public services to access their own onion addresses
+        services = publicServices;
+
         # Allow the operator user to access onion addresses for all active services
-        ${config.nix-bitcoin.operator.name} = mkIf config.nix-bitcoin.operator.enable activeServices;
+        access.${config.nix-bitcoin.operator.name} = mkIf config.nix-bitcoin.operator.enable activeServices;
       };
       systemd.services = let
         onionAddresses = [ "onion-addresses.service" ];
@@ -96,7 +96,7 @@ in {
           in srv.public && srv.enable
         ) services;
       in genAttrs publicServices' (service: {
-        getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}/${service}";
+        getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}";
       });
     }