netns: separate implementation and service configs

This greatly improves clarity. Especially the bitcoind-import-banlist.serviceConfig definition was out of place.
2020-08-21 22:35:59 +02:00 · 2020-08-21 22:35:59 +02:00 · e385c73256
parent d0b8d77de2
commit e385c73256
1 changed files with 55 additions and 60 deletions
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -75,8 +75,10 @@ in {
    };
  };

-  config = mkIf cfg.enable {
-    # Prerequisites
+  config = mkIf cfg.enable (mkMerge [
+
+  # Base infrastructure
+  {
    networking.dhcpcd.denyInterfaces = [ "br0" "br-nb*" "nb-veth*" ];
    services.tor.client.socksListenAddress = "${bridgeIp}:9050";
    networking.firewall.interfaces.br0.allowedTCPPorts = [ 9050 ];
@ -88,51 +90,6 @@ in {
      permissions = "u+rx,g+rx,o-rwx";
    };

-    nix-bitcoin.netns-isolation.services = {
-      bitcoind = {
-        id = 12;
-      };
-      clightning = {
-        id = 13;
-        connections = [ "bitcoind" ];
-      };
-      lnd = {
-        id = 14;
-        connections = [ "bitcoind" ];
-      };
-      liquidd = {
-        id = 15;
-        connections = [ "bitcoind" ];
-      };
-      electrs = {
-        id = 16;
-        connections = [ "bitcoind" ];
-      };
-      spark-wallet = {
-        id = 17;
-        # communicates with clightning over lightning-rpc socket
-      };
-      lightning-charge = {
-        id = 18;
-        # communicates with clightning over lightning-rpc socket
-      };
-      nanopos = {
-        id = 19;
-        connections = [ "nginx" "lightning-charge" ];
-      };
-      recurring-donations = {
-        id = 20;
-        # communicates with clightning over lightning-rpc socket
-      };
-      nginx = {
-        id = 21;
-      };
-      lightning-loop = {
-        id = 22;
-        connections = [ "lnd" ];
-      };
-    };
-
    systemd.services = {
      netns-bridge = {
        description = "Create bridge";
@ -153,8 +110,6 @@ in {
          RemainAfterExit = "yes";
        };
      };
-
-      bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
    } //
    (let
      makeNetnsServices = n: v: let
@ -206,8 +161,55 @@ in {
    in foldl (services: n:
      services // (makeNetnsServices n netns.${n})
    ) {} (builtins.attrNames netns));
+  }
+
+  # Service-specific config
+  {
+    nix-bitcoin.netns-isolation.services = {
+      bitcoind = {
+        id = 12;
+      };
+      clightning = {
+        id = 13;
+        connections = [ "bitcoind" ];
+      };
+      lnd = {
+        id = 14;
+        connections = [ "bitcoind" ];
+      };
+      liquidd = {
+        id = 15;
+        connections = [ "bitcoind" ];
+      };
+      electrs = {
+        id = 16;
+        connections = [ "bitcoind" ];
+      };
+      spark-wallet = {
+        id = 17;
+        # communicates with clightning over lightning-rpc socket
+      };
+      lightning-charge = {
+        id = 18;
+        # communicates with clightning over lightning-rpc socket
+      };
+      nanopos = {
+        id = 19;
+        connections = [ "nginx" "lightning-charge" ];
+      };
+      recurring-donations = {
+        id = 20;
+        # communicates with clightning over lightning-rpc socket
+      };
+      nginx = {
+        id = 21;
+      };
+      lightning-loop = {
+        id = 22;
+        connections = [ "lnd" ];
+      };
+    };

-    # bitcoin: Custom netns configs
    services.bitcoind = {
      bind = netns.bitcoind.address;
      rpcbind = [
@ -221,14 +223,13 @@ in {
        netns-exec nb-bitcoind ${config.services.bitcoind.package}/bin/bitcoin-cli -datadir='${config.services.bitcoind.dataDir}' "$@"
      '';
    };
+    systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";

-    # clightning: Custom netns configs
    services.clightning = {
      bitcoin-rpcconnect = netns.bitcoind.address;
      bind-addr = netns.clightning.address;
    };

-    # lnd: Custom netns configs
    services.lnd = {
      listen = netns.lnd.address;
      rpclisten = [
@ -248,7 +249,6 @@ in {
      '';
    };

-    # liquidd: Custom netns configs
    services.liquidd = {
      bind = netns.liquidd.address;
      rpcbind = [
@ -267,31 +267,25 @@ in {
      '';
    };

-    # electrs: Custom netns configs
    services.electrs = {
      address = netns.electrs.address;
      daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}";
    };

-    # spark-wallet: Custom netns configs
    services.spark-wallet = {
      host = netns.spark-wallet.address;
      extraArgs = "--no-tls";
    };

-    # lightning-charge: Custom netns configs
    services.lightning-charge.host = netns.lightning-charge.address;

-    # nanopos: Custom netns configs
    services.nanopos = {
      charged-url = "http://${netns.lightning-charge.address}:9112";
      host = netns.nanopos.address;
    };

-    # nginx: Custom netns configs
    services.nix-bitcoin-webindex.host = netns.nginx.address;

-    # loop: Custom netns configs
    services.lightning-loop = {
      cli = pkgs.writeScriptBin "loop"
      # Switch user because lnd makes datadir contents readable by user only
@ -299,5 +293,6 @@ in {
        netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@"
      '';
    };
-  };
+  }
+  ]);
 }