extract operator module

This commit is contained in:
Erik Arvstedt 2020-09-28 13:09:03 +02:00
parent 2dd1a741f7
commit 9aa19c3fdd
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
11 changed files with 73 additions and 33 deletions

View File

@ -380,6 +380,7 @@ in {
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
users.groups.bitcoinrpc = {}; users.groups.bitcoinrpc = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin"; nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
nix-bitcoin.secrets.bitcoin-rpcpassword-public = { nix-bitcoin.secrets.bitcoin-rpcpassword-public = {

View File

@ -99,6 +99,7 @@ in {
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"

View File

@ -48,6 +48,7 @@ in {
usbutils usbutils
]; ];
users.groups."${cfg.group}" = {}; users.groups."${cfg.group}" = {};
nix-bitcoin.operator.groups = [ cfg.group ];
}) })
(mkIf cfg.ledger { (mkIf cfg.ledger {

View File

@ -125,6 +125,10 @@ in {
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator = {
groups = [ cfg.group ];
sudoUsers = [ cfg.group ];
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"

View File

@ -263,12 +263,15 @@ in {
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "bitcoinrpc" ]; extraGroups = [ "bitcoinrpc" ];
description = "Liquid sidechain user"; description = "Liquid sidechain user";
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid"; nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid";
}; };
} }

View File

@ -259,6 +259,7 @@ in {
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ ) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ
}; };
users.users.lnd = { users.users.lnd = {
description = "LND User"; description = "LND User";
group = "lnd"; group = "lnd";
@ -266,6 +267,11 @@ in {
home = cfg.dataDir; # lnd creates .lnd dir in HOME home = cfg.dataDir; # lnd creates .lnd dir in HOME
}; };
users.groups.lnd = {}; users.groups.lnd = {};
nix-bitcoin.operator = {
groups = [ "lnd" ];
sudoUsers = [ "lnd" ];
};
nix-bitcoin.secrets = { nix-bitcoin.secrets = {
lnd-wallet-password.user = "lnd"; lnd-wallet-password.user = "lnd";
lnd-key.user = "lnd"; lnd-key.user = "lnd";

View File

@ -4,6 +4,7 @@
imports = [ imports = [
# Core modules # Core modules
./secrets/secrets.nix ./secrets/secrets.nix
./operator.nix
# Main features # Main features
./bitcoind.nix ./bitcoind.nix

View File

@ -82,6 +82,7 @@ in {
User that is allowed to execute commands in the service network namespaces. User that is allowed to execute commands in the service network namespaces.
The user's group is also authorized. The user's group is also authorized.
''; '';
default = config.nix-bitcoin.operator.name;
}; };
netns = mkOption { netns = mkOption {

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
operatorName = config.nix-bitcoin.operatorName; operatorName = config.nix-bitcoin.operator.name;
script = pkgs.writeScriptBin "nodeinfo" '' script = pkgs.writeScriptBin "nodeinfo" ''
set -eo pipefail set -eo pipefail

47
modules/operator.nix Normal file
View File

@ -0,0 +1,47 @@
# Define an operator user for convenient interactive access to nix-bitcoin
# features and services.
#
# When using nix-bitcoin as part of a larger system config, set
# `nix-bitcoin.operator.name` to your main user name.
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.nix-bitcoin.operator;
in {
options.nix-bitcoin.operator = {
enable = mkEnableOption "operator user";
name = mkOption {
type = types.str;
default = "operator";
description = "User name.";
};
groups = mkOption {
type = with types; listOf str;
default = [];
description = "Extra groups.";
};
sudoUsers = mkOption {
type = with types; listOf str;
default = [];
description = "Users as which the operator is allowed to run commands.";
};
};
config = mkIf cfg.enable {
users.users.${cfg.name} = {
isNormalUser = true;
extraGroups = [
"systemd-journal"
"proc" # Enable full /proc access and systemd-status
] ++ cfg.groups;
};
security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let
users = builtins.concatStringsSep "," cfg.sudoUsers;
in ''
${cfg.name} ALL=(${users}) NOPASSWD: ALL
'');
};
}

View File

@ -5,7 +5,7 @@ with lib;
let let
cfg = config.services; cfg = config.services;
operatorName = config.nix-bitcoin.operatorName; operatorName = config.nix-bitcoin.operator.name;
mkHiddenService = map: { mkHiddenService = map: {
map = [ map ]; map = [ map ];
@ -29,11 +29,6 @@ in {
default = 9735; default = 9735;
description = "Port on which to listen for tor client connections."; description = "Port on which to listen for tor client connections.";
}; };
nix-bitcoin.operatorName = mkOption {
type = types.str;
default = "operator";
description = "Less-privileged user's name.";
};
}; };
config = { config = {
@ -159,35 +154,15 @@ in {
qrencode qrencode
]; ];
# Create operator user which can access the node's services services.onion-chef = {
enable = true;
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
};
nix-bitcoin.operator.enable = true;
users.users.${operatorName} = { users.users.${operatorName} = {
isNormalUser = true;
extraGroups = [
"systemd-journal"
"proc" # Enable full /proc access and systemd-status
cfg.bitcoind.group
]
++ (optionals cfg.clightning.enable [ "clightning" ])
++ (optionals cfg.lnd.enable [ "lnd" ])
++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
[ cfg.hardware-wallets.group ])
++ (optionals cfg.joinmarket.enable [ cfg.joinmarket.group ]);
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
}; };
nix-bitcoin.netns-isolation.allowedUser = operatorName;
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
security.sudo.configFile =
(optionalString cfg.lnd.enable ''
${operatorName} ALL=(lnd) NOPASSWD: ALL
'') +
(optionalString cfg.joinmarket.enable ''
${operatorName} ALL=(${cfg.joinmarket.user}) NOPASSWD: ALL
'');
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
systemd.services.get-vbox-nixops-client-key = systemd.services.get-vbox-nixops-client-key =
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) { mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {