onionAddresses: use service 'script' option
This also makes the script stop on errors.
This commit is contained in:
parent
6d13b26d0a
commit
b266f23251
@ -4,7 +4,7 @@
|
||||
# The included service copies onion addresses to /var/lib/onion-addresses/<user>/
|
||||
# and sets permissions according to option 'access'.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
@ -12,7 +12,38 @@ let
|
||||
cfg = config.nix-bitcoin.onionAddresses;
|
||||
inherit (config) nix-bitcoin-services;
|
||||
dataDir = "/var/lib/onion-addresses/";
|
||||
onion-addresses-script = pkgs.writeScript "onion-addresses.sh" ''
|
||||
in {
|
||||
options.nix-bitcoin.onionAddresses = {
|
||||
access = mkOption {
|
||||
type = with types; attrsOf (listOf str);
|
||||
default = {};
|
||||
description = ''
|
||||
This option controls who is allowed to access onion addresses.
|
||||
For example, the following allows user 'myuser' to access bitcoind
|
||||
and clightning onion addresses:
|
||||
{
|
||||
"myuser" = [ "bitcoind" "clightning" ];
|
||||
};
|
||||
The onion hostnames can then be read from
|
||||
/var/lib/onion-addresses/myuser.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.access != {}) {
|
||||
systemd.services.onion-addresses = {
|
||||
wantedBy = [ "tor.service" ];
|
||||
bindsTo = [ "tor.service" ];
|
||||
after = [ "tor.service" ];
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
StateDirectory = "onion-addresses";
|
||||
PrivateNetwork = "true"; # This service needs no network access
|
||||
PrivateUsers = "false";
|
||||
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||
};
|
||||
script = ''
|
||||
# wait until tor is up
|
||||
until ls -l /var/lib/tor/state; do sleep 1; done
|
||||
|
||||
@ -42,38 +73,6 @@ let
|
||||
(builtins.attrNames cfg.access)
|
||||
}
|
||||
'';
|
||||
in {
|
||||
options.nix-bitcoin.onionAddresses = {
|
||||
access = mkOption {
|
||||
type = with types; attrsOf (listOf str);
|
||||
default = {};
|
||||
description = ''
|
||||
This option controls who is allowed to access onion addresses.
|
||||
For example, the following allows user 'myuser' to access bitcoind
|
||||
and clightning onion addresses:
|
||||
{
|
||||
"myuser" = [ "bitcoind" "clightning" ];
|
||||
};
|
||||
The onion hostnames can then be read from
|
||||
/var/lib/onion-addresses/myuser.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.access != {}) {
|
||||
systemd.services.onion-addresses = {
|
||||
wantedBy = [ "tor.service" ];
|
||||
bindsTo = [ "tor.service" ];
|
||||
after = [ "tor.service" ];
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
ExecStart = "${pkgs.bash}/bin/bash ${onion-addresses-script}";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
StateDirectory = "onion-addresses";
|
||||
PrivateNetwork = "true"; # This service needs no network access
|
||||
PrivateUsers = "false";
|
||||
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user