From bd2a46cb73de511b763d87593aadf6d0d9eefe11 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 14 Jan 2021 13:24:19 +0100 Subject: [PATCH] spark-wallet: use onionServices Also remove the unneeded definition of ReadWritePaths because the service doesn't need write access to onion files. --- modules/onion-services.nix | 9 +++++++++ modules/presets/enable-tor.nix | 1 + modules/presets/secure-node.nix | 4 ---- modules/spark-wallet.nix | 35 +++++++++++++-------------------- 4 files changed, 24 insertions(+), 25 deletions(-) diff --git a/modules/onion-services.nix b/modules/onion-services.nix index 755a4e7..db0dac1 100644 --- a/modules/onion-services.nix +++ b/modules/onion-services.nix @@ -103,6 +103,15 @@ in { # Set sensible defaults for some services { nix-bitcoin.onionServices = { + spark-wallet = { + externalPort = 80; + # Enable 'public' by default, but don't auto-enable the onion service. + # When the onion service is enabled, 'public' lets spark-wallet generate + # a QR code for accessing the web interface. + public = true; + # Low priority so we can override this with mkDefault in ./presets/enable-tor.nix + enable = mkOverride 1400 false; + }; btcpayserver = { externalPort = 80; }; diff --git a/modules/presets/enable-tor.nix b/modules/presets/enable-tor.nix index 41c50d2..2d5ffd3 100644 --- a/modules/presets/enable-tor.nix +++ b/modules/presets/enable-tor.nix @@ -31,5 +31,6 @@ in { liquidd.enable = defaultTrue; electrs.enable = defaultTrue; btcpayserver.enable = defaultTrue; + spark-wallet.enable = defaultTrue; }; } diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 643a25a..5c6ee23 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -53,10 +53,6 @@ in { listen = true; }; - services.spark-wallet = { - onion-service = true; - }; - # Backups services.backups = { program = "duplicity"; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index 52bcee1..a130dd2 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -5,14 +5,13 @@ with lib; let cfg = config.services.spark-wallet; inherit (config) nix-bitcoin-services; - onionAddressesService = (if cfg.onion-service then [ "onion-addresses.service" ] else []); # Use wasabi rate provider because the default (bitstamp) doesn't accept # connections through Tor torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}"; startScript = '' - ${optionalString cfg.onion-service '' - publicURL="--public-url http://$(cat /var/lib/onion-addresses/spark-wallet/spark-wallet)" + ${optionalString (cfg.getPublicAddressCmd != "") '' + publicURL="--public-url http://$(${cfg.getPublicAddressCmd})" ''} exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \ --ln-path '${config.services.clightning.networkDir}' \ @@ -41,19 +40,21 @@ in { default = 9737; description = "http(s) server port."; }; - onion-service = mkOption { - type = types.bool; - default = false; - description = '' - "If enabled, configures spark-wallet to be reachable through an onion service."; - ''; - }; extraArgs = mkOption { type = types.separatedString " "; default = ""; description = "Extra command line arguments passed to spark-wallet."; }; - enforceTor = nix-bitcoin-services.enforceTor; + getPublicAddressCmd = mkOption { + type = types.str; + default = ""; + description = '' + Bash expression which outputs the public service address. + If set, spark-wallet prints a QR code to the systemd journal which + encodes an URL for accessing the web interface. + ''; + }; + inherit (nix-bitcoin-services) enforceTor; }; config = mkIf cfg.enable { @@ -66,24 +67,16 @@ in { }; users.groups.spark-wallet = {}; - services.tor.hiddenServices.spark-wallet = mkIf cfg.onion-service { - map = [{ - port = 80; toPort = cfg.port; toHost = cfg.address; - }]; - version = 3; - }; - nix-bitcoin.onionAddresses.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else []; systemd.services.spark-wallet = { description = "Run spark-wallet"; wantedBy = [ "multi-user.target" ]; - requires = [ "clightning.service" ] ++ onionAddressesService; - after = [ "clightning.service" ] ++ onionAddressesService; + requires = [ "clightning.service" ]; + after = [ "clightning.service" ]; script = startScript; serviceConfig = nix-bitcoin-services.defaultHardening // { User = "spark-wallet"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = mkIf cfg.onion-service "/var/lib/onion-addresses"; } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP)