Remove PermissionStartOnly where possible and replace with bitcoinrpc
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never needed there) Give reason for PermissionsStartOnly in lightning-charge Replace PermissionsStartOnly in clightning, electrs and liquid
This commit is contained in:
parent
91b6b2c370
commit
adc71b892e
@ -286,9 +286,6 @@ in {
|
||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||
Restart = "on-failure";
|
||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP)
|
||||
@ -328,9 +325,11 @@ in {
|
||||
description = "Bitcoin daemon user";
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
users.groups.bitcoinrpc = {};
|
||||
|
||||
nix-bitcoin.secrets.bitcoin-rpcpassword = {
|
||||
user = "bitcoin";
|
||||
group = "bitcoinrpc";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -75,6 +75,7 @@ in {
|
||||
users.users.clightning = {
|
||||
description = "clightning User";
|
||||
group = "clightning";
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
};
|
||||
users.groups.clightning = {};
|
||||
|
||||
@ -97,7 +98,6 @@ in {
|
||||
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
|
||||
'';
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
|
||||
User = "clightning";
|
||||
Restart = "on-failure";
|
||||
|
@ -80,7 +80,6 @@ in {
|
||||
RuntimeDirectory = "electrs";
|
||||
RuntimeDirectoryMode = "700";
|
||||
WorkingDirectory = "/run/electrs";
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = ''
|
||||
${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
|
||||
${if cfg.high-memory then
|
||||
@ -107,7 +106,7 @@ in {
|
||||
users.users.${cfg.user} = {
|
||||
description = "electrs User";
|
||||
group = cfg.group;
|
||||
extraGroups = optionals cfg.high-memory [ "bitcoin" ];
|
||||
extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
}
|
||||
|
@ -51,6 +51,7 @@ in {
|
||||
fi
|
||||
'';
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
# Needed to access clightning.dataDir in preStart
|
||||
PermissionsStartOnly = "true";
|
||||
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
|
||||
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
|
||||
|
@ -212,7 +212,7 @@ in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
cp '${configFile}' '${cfg.dataDir}/elements.conf'
|
||||
chmod o-rw '${cfg.dataDir}/elements.conf'
|
||||
chmod 640 '${cfg.dataDir}/elements.conf'
|
||||
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
|
||||
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
|
||||
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
|
||||
@ -222,12 +222,8 @@ in {
|
||||
User = "${cfg.user}";
|
||||
Group = "${cfg.group}";
|
||||
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
|
||||
StateDirectory = "liquidd";
|
||||
PIDFile = "${pidFile}";
|
||||
Restart = "on-failure";
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
@ -235,6 +231,7 @@ in {
|
||||
};
|
||||
users.users.${cfg.user} = {
|
||||
group = cfg.group;
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
description = "Liquid sidechain user";
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
|
@ -163,6 +163,7 @@ in {
|
||||
users.users.lnd = {
|
||||
description = "LND User";
|
||||
group = "lnd";
|
||||
extraGroups = [ "bitcoinrpc" ];
|
||||
home = cfg.dataDir; # lnd creates .lnd dir in HOME
|
||||
};
|
||||
users.groups.lnd = {};
|
||||
|
@ -71,7 +71,6 @@ in {
|
||||
requires = [ "clightning.service" ] ++ onion-chef-service;
|
||||
after = [ "clightning.service" ] ++ onion-chef-service;
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
|
||||
User = "spark-wallet";
|
||||
Restart = "on-failure";
|
||||
|
Loading…
Reference in New Issue
Block a user