Remove PermissionStartOnly where possible and replace with bitcoinrpc

Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never needed there) Give reason for PermissionsStartOnly in lightning-charge Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-21 18:05:31 +02:00 · 2020-05-21 18:05:31 +02:00 · adc71b892e
parent 91b6b2c370
commit adc71b892e
7 changed files with 8 additions and 12 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -286,9 +286,6 @@ in {
        ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
        Restart = "on-failure";
        UMask = mkIf cfg.dataDirReadableByGroup "0027";
-
-        # Permission for preStart
-        PermissionsStartOnly = "true";
      } // (if cfg.enforceTor
            then nix-bitcoin-services.allowTor
            else nix-bitcoin-services.allowAnyIP)
@ -328,9 +325,11 @@ in {
      description = "Bitcoin daemon user";
    };
    users.groups.${cfg.group} = {};
+    users.groups.bitcoinrpc = {};

    nix-bitcoin.secrets.bitcoin-rpcpassword = {
      user = "bitcoin";
+      group = "bitcoinrpc";
    };
  };
 }
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -75,6 +75,7 @@ in {
    users.users.clightning = {
        description = "clightning User";
        group = "clightning";
+        extraGroups = [ "bitcoinrpc" ];
    };
    users.groups.clightning = {};

@ -97,7 +98,6 @@ in {
        echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
        '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
        User = "clightning";
        Restart = "on-failure";
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -80,7 +80,6 @@ in {
        RuntimeDirectory = "electrs";
        RuntimeDirectoryMode = "700";
        WorkingDirectory = "/run/electrs";
-        PermissionsStartOnly = "true";
        ExecStart = ''
          ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
          ${if cfg.high-memory then
@ -107,7 +106,7 @@ in {
    users.users.${cfg.user} = {
      description = "electrs User";
      group = cfg.group;
-      extraGroups = optionals cfg.high-memory [ "bitcoin" ];
+      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
    };
    users.groups.${cfg.group} = {};
  }
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -51,6 +51,7 @@ in {
        fi
        '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
+          # Needed to access clightning.dataDir in preStart
          PermissionsStartOnly = "true";
          EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -212,7 +212,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        cp '${configFile}' '${cfg.dataDir}/elements.conf'
-        chmod o-rw  '${cfg.dataDir}/elements.conf'
+        chmod 640  '${cfg.dataDir}/elements.conf'
        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
        echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
        echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
@ -222,12 +222,8 @@ in {
        User = "${cfg.user}";
        Group = "${cfg.group}";
        ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
-        StateDirectory = "liquidd";
        PIDFile = "${pidFile}";
        Restart = "on-failure";
-
-        # Permission for preStart
-        PermissionsStartOnly = "true";
      } // (if cfg.enforceTor
          then nix-bitcoin-services.allowTor
          else nix-bitcoin-services.allowAnyIP
@ -235,6 +231,7 @@ in {
    };
    users.users.${cfg.user} = {
      group = cfg.group;
+      extraGroups = [ "bitcoinrpc" ];
      description = "Liquid sidechain user";
    };
    users.groups.${cfg.group} = {};
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -163,6 +163,7 @@ in {
    users.users.lnd = {
      description = "LND User";
      group = "lnd";
+      extraGroups = [ "bitcoinrpc" ];
      home = cfg.dataDir; # lnd creates .lnd dir in HOME
    };
    users.groups.lnd = {};
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -71,7 +71,6 @@ in {
      requires = [ "clightning.service" ] ++ onion-chef-service;
      after = [ "clightning.service" ]  ++ onion-chef-service;
      serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
        User = "spark-wallet";
        Restart = "on-failure";