Remove PermissionStartOnly where possible and replace with bitcoinrpc

Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)

Give reason for PermissionsStartOnly in lightning-charge

Replace PermissionsStartOnly in clightning, electrs and liquid
This commit is contained in:
nixbitcoin 2020-05-21 18:05:31 +02:00
parent 91b6b2c370
commit adc71b892e
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
7 changed files with 8 additions and 12 deletions

View File

@ -286,9 +286,6 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027"; UMask = mkIf cfg.dataDirReadableByGroup "0027";
# Permission for preStart
PermissionsStartOnly = "true";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP) else nix-bitcoin-services.allowAnyIP)
@ -328,9 +325,11 @@ in {
description = "Bitcoin daemon user"; description = "Bitcoin daemon user";
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
users.groups.bitcoinrpc = {};
nix-bitcoin.secrets.bitcoin-rpcpassword = { nix-bitcoin.secrets.bitcoin-rpcpassword = {
user = "bitcoin"; user = "bitcoin";
group = "bitcoinrpc";
}; };
}; };
} }

View File

@ -75,6 +75,7 @@ in {
users.users.clightning = { users.users.clightning = {
description = "clightning User"; description = "clightning User";
group = "clightning"; group = "clightning";
extraGroups = [ "bitcoinrpc" ];
}; };
users.groups.clightning = {}; users.groups.clightning = {};
@ -97,7 +98,6 @@ in {
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
''; '';
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";

View File

@ -80,7 +80,6 @@ in {
RuntimeDirectory = "electrs"; RuntimeDirectory = "electrs";
RuntimeDirectoryMode = "700"; RuntimeDirectoryMode = "700";
WorkingDirectory = "/run/electrs"; WorkingDirectory = "/run/electrs";
PermissionsStartOnly = "true";
ExecStart = '' ExecStart = ''
${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \ ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
${if cfg.high-memory then ${if cfg.high-memory then
@ -107,7 +106,7 @@ in {
users.users.${cfg.user} = { users.users.${cfg.user} = {
description = "electrs User"; description = "electrs User";
group = cfg.group; group = cfg.group;
extraGroups = optionals cfg.high-memory [ "bitcoin" ]; extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
} }

View File

@ -51,6 +51,7 @@ in {
fi fi
''; '';
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
# Needed to access clightning.dataDir in preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db"; ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";

View File

@ -212,7 +212,7 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
cp '${configFile}' '${cfg.dataDir}/elements.conf' cp '${configFile}' '${cfg.dataDir}/elements.conf'
chmod o-rw '${cfg.dataDir}/elements.conf' chmod 640 '${cfg.dataDir}/elements.conf'
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
@ -222,12 +222,8 @@ in {
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}"; ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
StateDirectory = "liquidd";
PIDFile = "${pidFile}"; PIDFile = "${pidFile}";
Restart = "on-failure"; Restart = "on-failure";
# Permission for preStart
PermissionsStartOnly = "true";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
@ -235,6 +231,7 @@ in {
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
group = cfg.group; group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
description = "Liquid sidechain user"; description = "Liquid sidechain user";
}; };
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};

View File

@ -163,6 +163,7 @@ in {
users.users.lnd = { users.users.lnd = {
description = "LND User"; description = "LND User";
group = "lnd"; group = "lnd";
extraGroups = [ "bitcoinrpc" ];
home = cfg.dataDir; # lnd creates .lnd dir in HOME home = cfg.dataDir; # lnd creates .lnd dir in HOME
}; };
users.groups.lnd = {}; users.groups.lnd = {};

View File

@ -71,7 +71,6 @@ in {
requires = [ "clightning.service" ] ++ onion-chef-service; requires = [ "clightning.service" ] ++ onion-chef-service;
after = [ "clightning.service" ] ++ onion-chef-service; after = [ "clightning.service" ] ++ onion-chef-service;
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true";
ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}"; ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
User = "spark-wallet"; User = "spark-wallet";
Restart = "on-failure"; Restart = "on-failure";