From aba1b7dfc2d9c2c5fd0659b4e7f32d57089d6caa Mon Sep 17 00:00:00 2001
From: Jonas Nick <jonasd.nick@gmail.com>
Date: Fri, 29 Mar 2019 14:46:13 +0000
Subject: [PATCH] Give operator access to onion hostnames through new
 onion-manager module

---
 modules/nix-bitcoin.nix   |  6 ++-
 modules/onion-chef.nix    | 87 +++++++++++++++++++++++++++++++++++++++
 pkgs/nodeinfo/nodeinfo.sh | 14 +++----
 3 files changed, 99 insertions(+), 8 deletions(-)
 create mode 100644 modules/onion-chef.nix

diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix
index a6c16c8..07d7713 100644
--- a/modules/nix-bitcoin.nix
+++ b/modules/nix-bitcoin.nix
@@ -42,6 +42,7 @@ in {
     ./liquid.nix
     ./spark-wallet.nix
     ./electrs.nix
+    ./onion-chef.nix
   ];
 
   options.services.nix-bitcoin = {
@@ -121,8 +122,11 @@ in {
       isNormalUser = true;
       extraGroups = [ "clightning" config.services.bitcoind.group ]
         ++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
-
     };
+    # Give operator access to onion hostnames
+    services.onion-chef.enable = true;
+    services.onion-chef.access.operator = [ "bitcoind" "clightning" "ngninx" "liquidd" "spark-wallet" "electrs" "sshd" ];
+
     environment.interactiveShellInit = ''
       alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
       alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix
new file mode 100644
index 0000000..9a71e0b
--- /dev/null
+++ b/modules/onion-chef.nix
@@ -0,0 +1,87 @@
+# The onion chef module allows unprivileged users to read onion hostnames.
+# By default the onion hostnames in /var/lib/tor/onion are only readable by the
+# tor user. The onion chef copies the onion hostnames into into
+# /var/lib/onion-chef and sets permissions according to the access option.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.onion-chef;
+  dataDir = "/var/lib/onion-chef/";
+  onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
+    # wait until tor is up
+    until ls -l /var/lib/tor/state; do sleep 1; done
+
+    mkdir -p -m 0755 ${dataDir}
+    cd ${dataDir}
+
+    # Create directory for every user and set permissions
+    ${ builtins.foldl'
+      (x: user: x +
+        ''
+        mkdir -p -m 0700 ${user}
+        chown ${user} ${user}
+          # Copy onion hostnames into the user's directory
+          ${ builtins.foldl'
+            (x: onion: x +
+              ''
+              ONION_FILE=/var/lib/tor/onion/${onion}/hostname
+              if [ -e "$ONION_FILE" ]; then
+                cp $ONION_FILE ${user}/${onion}
+                chown ${user} ${user}/${onion}
+              fi
+              '')
+            ""
+            (builtins.getAttr user cfg.access)
+          }
+        '')
+      ""
+      (builtins.attrNames cfg.access)
+    }
+  '';
+in {
+  options.services.onion-chef = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, the onion-chef service will be installed.
+      '';
+    };
+    access = mkOption {
+      type = types.attrs;
+      default = {};
+      description = ''
+        This option controls who is allowed to access onion hostnames.  For
+        example the following allows the user operator to access the bitcoind
+        and clightning onion.
+        {
+          "operator" = [ "bitcoind" "clightning" ];
+        };
+        The onion hostnames can then be read from
+        /var/lib/onion-chef/<user>.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.onion-chef = {
+      description = "Run onion-chef";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "tor.service" ];
+      partOf = [ "tor.service" ];
+      after = [ "tor.service" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
+        User = "root";
+        Type = "oneshot";
+        PrivateTmp = "true";
+        ProtectSystem = "full";
+        NoNewPrivileges = "true";
+        PrivateDevices = "true";
+      };
+    };
+  };
+}
diff --git a/pkgs/nodeinfo/nodeinfo.sh b/pkgs/nodeinfo/nodeinfo.sh
index c490901..62529fa 100644
--- a/pkgs/nodeinfo/nodeinfo.sh
+++ b/pkgs/nodeinfo/nodeinfo.sh
@@ -1,9 +1,9 @@
 set -e
 set -o pipefail
 
-BITCOIND_ONION="$(cat /var/lib/tor/onion/bitcoind/hostname)"
+BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
 CLIGHTNING_NODEID=$(sudo -u clightning lightning-cli --lightning-dir=/var/lib/clightning getinfo | jq -r '.id')
-CLIGHTNING_ONION="$(cat /var/lib/tor/onion/clightning/hostname)"
+CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
 CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
 
 echo BITCOIND_ONION="$BITCOIND_ONION"
@@ -11,31 +11,31 @@ echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
 echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
 echo CLIGHTNING_ID="$CLIGHTNING_ID"
 
-NGINX_ONION_FILE=/var/lib/tor/onion/nginx/hostname
+NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
 if [ -e "$NGINX_ONION_FILE" ]; then
     NGINX_ONION="$(cat $NGINX_ONION_FILE)"
     echo NGINX_ONION="$NGINX_ONION"
 fi
 
-LIQUIDD_ONION_FILE=/var/lib/tor/onion/liquidd/hostname
+LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
 if [ -e "$LIQUIDD_ONION_FILE" ]; then
     LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
     echo LIQUIDD_ONION="$LIQUIDD_ONION"
 fi
 
-SPARKWALLET_ONION_FILE=/var/lib/tor/onion/spark-wallet/hostname
+SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
 if [ -e "$SPARKWALLET_ONION_FILE" ]; then
     SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
     echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
 fi
 
-ELECTRS_ONION_FILE=/var/lib/tor/onion/electrs/hostname
+ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
 if [ -e "$ELECTRS_ONION_FILE" ]; then
     ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
     echo ELECTRS_ONION="$ELECTRS_ONION"
 fi
 
-SSHD_ONION_FILE=/var/lib/tor/onion/sshd/hostname
+SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
 if [ -e "$SSHD_ONION_FILE" ]; then
     SSHD_ONION="$(cat $SSHD_ONION_FILE)"
     echo SSHD_ONION="$SSHD_ONION"