Merge #324: Fix lnd onion

ecc601a6d6 onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior (nixbitcoin) e873326bfe modules: use user & group options (nixbitcoin) ccef870b74 spark-wallet: add user & group options (nixbitcoin) 85a1722545 lnd: add user & group options (nixbitcoin) Pull request description: ACKs for top commit: erikarvstedt: ACK ecc601a6d6 Tree-SHA512: 39da5f8e01b98a676af8a073c11df64df487b5c3ab01327a227d16f215826f5bf15ca9ac21b59934edc5e2bbb87e397c53fcbf7130bd10b00f1df359ab3328ba
2021-02-17 19:08:02 +00:00 · 2021-02-17 19:08:02 +00:00 · bcad047757
parent eddc48ee62 ecc601a6d6
commit bcad047757
11 changed files with 56 additions and 36 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -385,13 +385,13 @@ in {
    users.groups.bitcoinrpc = {};
    nix-bitcoin.operator.groups = [ cfg.group ];

-    nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
+    nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user;
    nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
-      user = "bitcoin";
+      user = cfg.user;
      group = "bitcoinrpc";
    };

-    nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = "bitcoin";
-    nix-bitcoin.secrets.bitcoin-HMAC-public.user = "bitcoin";
+    nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user;
+    nix-bitcoin.secrets.bitcoin-HMAC-public.user = cfg.user;
  };
 }
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -218,7 +218,7 @@ in {
    users.groups.${cfg.nbxplorer.group} = {};
    users.users.${cfg.btcpayserver.user} = {
      group = cfg.btcpayserver.group;
-      extraGroups = [ "nbxplorer" ]
+      extraGroups = [ cfg.nbxplorer.group ]
                    ++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
      home = cfg.btcpayserver.dataDir;
    };
@ -226,10 +226,10 @@ in {

    nix-bitcoin.secrets = {
      bitcoin-rpcpassword-btcpayserver = {
-        user = "bitcoin";
-        group = "nbxplorer";
+        user = cfg.bitcoind.user;
+        group = cfg.nbxplorer.group;
      };
-      bitcoin-HMAC-btcpayserver.user = "bitcoin";
+      bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
    };
  };
 }
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -110,7 +110,7 @@ in {

    users.users.${cfg.user} = {
      group = cfg.group;
-      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
+      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ];
    };
    users.groups.${cfg.group} = {};
  };
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@ -89,7 +89,7 @@ in {
    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];

    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 lnd lnd - -"
+      "d '${cfg.dataDir}' 0770 ${config.services.lnd.user} ${config.services.lnd.group} - -"
    ];

    systemd.services.lightning-loop = {
@ -98,7 +98,7 @@ in {
      after = [ "lnd.service" ];
      serviceConfig = nbLib.defaultHardening // {
        ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
-        User = "lnd";
+        User = config.services.lnd.user;
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = cfg.dataDir;
@ -108,8 +108,8 @@ in {
    };

     nix-bitcoin.secrets = {
-       loop-key.user = "lnd";
-       loop-cert.user = "lnd";
+       loop-key.user = config.services.lnd.user;
+       loop-cert.user = config.services.lnd.user;
     };
  };
 }
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -252,6 +252,6 @@ in {
    users.groups.${cfg.group} = {};
    nix-bitcoin.operator.groups = [ cfg.group ];

-    nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid";
+    nix-bitcoin.secrets.liquid-rpcpassword.user = cfg.user;
  };
 }
--- a/modules/lnd-rest-onion-service.nix
+++ b/modules/lnd-rest-onion-service.nix
@ -11,7 +11,7 @@ let
  lnd = config.services.lnd;

  bin = pkgs.writeScriptBin "lndconnect-rest-onion" ''
-    #!/usr/bin/env -S ${runAsUser} lnd ${pkgs.bash}/bin/bash
+    #!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash

    exec ${cfg.package}/bin/lndconnect \
     --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -124,7 +124,7 @@ in {
      default = pkgs.writeScriptBin "lncli"
      # Switch user because lnd makes datadir contents readable by user only
      ''
-        ${runAsUser} lnd ${cfg.package}/bin/lncli \
+        ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
          --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
          --tlscertpath '${secretsDir}/lnd-cert' \
          --macaroonpath '${networkDir}/admin.macaroon' "$@"
@ -139,6 +139,16 @@ in {
        If left empty, no address is announced.
      '';
    };
+    user = mkOption {
+      type = types.str;
+      default = "lnd";
+      description = "The user as which to run LND.";
+    };
+    group = mkOption {
+      type = types.str;
+      default = cfg.user;
+      description = "The group as which to run LND.";
+    };
    inherit (nbLib) enforceTor;
  };

@ -163,7 +173,7 @@ in {
    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];

    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 lnd lnd - -"
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
    ];

    systemd.services.lnd = {
@ -183,7 +193,7 @@ in {
        RuntimeDirectory = "lnd"; # Only used to store custom macaroons
        RuntimeDirectoryMode = "711";
        ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
-        User = "lnd";
+        User = cfg.user;
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = cfg.dataDir;
@ -206,7 +216,7 @@ in {
                --cacert ${secretsDir}/lnd-cert \
                -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
            fi
-            chown lnd: "$mnemonic"
+            chown ${cfg.user}: "$mnemonic"
          '')
          (nbLib.script "lnd-create-wallet" ''
            if [[ ! -f ${networkDir}/wallet.db ]]; then
@ -263,21 +273,21 @@ in {
        ) // nbLib.allowAnyProtocol;  # For ZMQ
    };

-    users.users.lnd = {
-      group = "lnd";
+    users.users.${cfg.user} = {
+      group = cfg.group;
      extraGroups = [ "bitcoinrpc" ];
      home = cfg.dataDir; # lnd creates .lnd dir in HOME
    };
-    users.groups.lnd = {};
+    users.groups.${cfg.group} = {};
    nix-bitcoin.operator = {
-      groups = [ "lnd" ];
-      allowRunAsUsers = [ "lnd" ];
+      groups = [ cfg.group ];
+      allowRunAsUsers = [ cfg.user ];
    };

    nix-bitcoin.secrets = {
-      lnd-wallet-password.user = "lnd";
-      lnd-key.user = "lnd";
-      lnd-cert.user = "lnd";
+      lnd-wallet-password.user = cfg.user;
+      lnd-key.user = cfg.user;
+      lnd-cert.user = cfg.user;
      lnd-cert.permissions = "0444"; # world readable
    };
  };
--- a/modules/onion-addresses.nix
+++ b/modules/onion-addresses.nix
@ -84,7 +84,7 @@ in {
        ${concatMapStrings (service: ''
          onionFile=/var/lib/tor/onion/${service}/hostname
          if [[ -e $onionFile ]]; then
-            install -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile ${service}
+            install -D -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile services/${service}
          fi
        '') cfg.services}
      '';
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@ -94,7 +94,7 @@ in {
          in srv.public && srv.enable
        ) services;
      in genAttrs publicServices' (service: {
-        getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}";
+        getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/services/${service}";
      });
    }

--- a/modules/recurring-donations.nix
+++ b/modules/recurring-donations.nix
@ -100,7 +100,7 @@ in {

    users.users.recurring-donations = {
      group = "recurring-donations";
-      extraGroups = [ "clightning" ];
+      extraGroups = [ config.services.clightning.group ];
    };
    users.groups.recurring-donations = {};
  };
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -48,17 +48,27 @@ in {
        encodes an URL for accessing the web interface.
      '';
    };
+    user = mkOption {
+      type = types.str;
+      default = "spark-wallet";
+      description = "The user as which to run spark-wallet.";
+    };
+    group = mkOption {
+      type = types.str;
+      default = cfg.user;
+      description = "The group as which to run spark-wallet.";
+    };
    inherit (nbLib) enforceTor;
  };

  config = mkIf cfg.enable {
    services.clightning.enable = true;

-    users.users.spark-wallet = {
-      group = "spark-wallet";
-      extraGroups = [ "clightning" ];
+    users.users.${cfg.user} = {
+      group = cfg.group;
+      extraGroups = [ config.services.clightning.group ];
    };
-    users.groups.spark-wallet = {};
+    users.groups.${cfg.group} = {};

    systemd.services.spark-wallet = {
      wantedBy = [ "multi-user.target" ];
@ -66,7 +76,7 @@ in {
      after = [ "clightning.service" ];
      script = startScript;
      serviceConfig = nbLib.defaultHardening // {
-        User = "spark-wallet";
+        User = cfg.user;
        Restart = "on-failure";
        RestartSec = "10s";
      } // (if cfg.enforceTor
@ -74,6 +84,6 @@ in {
            else nbLib.allowAnyIP)
        // nbLib.nodejs;
    };
-    nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";
+    nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
  };
 }