diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index bf59a80..51e5265 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -423,7 +423,7 @@ in { ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; Restart = "on-failure"; UMask = mkIf cfg.dataDirReadableByGroup "0027"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce // optionalAttrs zmqServerEnabled nbLib.allowNetlink; }; @@ -449,7 +449,7 @@ in { serviceConfig = nbLib.defaultHardening // { User = cfg.user; Group = cfg.group; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowLocalIPAddresses; }; diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index 8f5f92a..49cc8c1 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -192,7 +192,7 @@ in { User = cfg.nbxplorer.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.nbxplorer.dataDir; + ReadWritePaths = [ cfg.nbxplorer.dataDir ]; MemoryDenyWriteExecute = "false"; } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; }; @@ -245,7 +245,7 @@ in { User = cfg.btcpayserver.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.btcpayserver.dataDir; + ReadWritePaths = [ cfg.btcpayserver.dataDir ]; MemoryDenyWriteExecute = "false"; } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; }; in self; diff --git a/modules/clightning-rest.nix b/modules/clightning-rest.nix index c182a3b..5ca51cf 100644 --- a/modules/clightning-rest.nix +++ b/modules/clightning-rest.nix @@ -96,7 +96,7 @@ in { User = clightning.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce // nbLib.nodejs; }; diff --git a/modules/clightning.nix b/modules/clightning.nix index e1c6569..32ea647 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -148,7 +148,7 @@ in { User = cfg.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce; # Wait until the rpc socket appears postStart = '' diff --git a/modules/electrs.nix b/modules/electrs.nix index 32e29b0..afe85be 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -92,7 +92,7 @@ in { Group = cfg.group; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce; }; diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 6a35aba..d7c4a0c 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -328,7 +328,7 @@ in { User = cfg.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce; }; @@ -368,7 +368,7 @@ in { # because it provides the wallet password via stdin to the main process SyslogIdentifier = "joinmarket-yieldgenerator"; User = cfg.user; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowTor; }; }) diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 614d39f..00da742 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -106,7 +106,7 @@ in { User = lnd.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce; }; diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix index d60ea3c..240c283 100644 --- a/modules/lightning-pool.nix +++ b/modules/lightning-pool.nix @@ -103,7 +103,7 @@ in { User = "lnd"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // (nbLib.allowedIPAddresses cfg.tor.enforce) // nbLib.allowNetlink; # required by gRPC-Go }; diff --git a/modules/liquid.nix b/modules/liquid.nix index f884e85..ee3ff22 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -274,7 +274,7 @@ in { TimeoutStopSec = "10min"; ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'"; Restart = "on-failure"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce; }; diff --git a/modules/lnd.nix b/modules/lnd.nix index da44192..8f0fe3a 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -232,7 +232,7 @@ in { TimeoutSec = "15min"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; ExecStartPost = let curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}"; restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1"; diff --git a/modules/rtl.nix b/modules/rtl.nix index db5257a..8dbab0c 100644 --- a/modules/rtl.nix +++ b/modules/rtl.nix @@ -185,7 +185,7 @@ in { User = cfg.user; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; } // nbLib.allowedIPAddresses cfg.tor.enforce // nbLib.nodejs; }; diff --git a/pkgs/lib.nix b/pkgs/lib.nix index 6919ae6..6b058fd 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -46,7 +46,11 @@ let self = { # Allow takes precedence over Deny. allowLocalIPAddresses = { - IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16"; + IPAddressAllow = [ + "127.0.0.1/32" + "::1/128" + "169.254.0.0/16" + ]; }; allowAllIPAddresses = { IPAddressAllow = "any"; }; allowTor = self.allowLocalIPAddresses;