greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f3121892ef
nix-bitcoin/modules/electrs.nix
Erik Arvstedt c4cf323873
electrs: add option 'extraArgs' 
Electrs allows defining settings multiple times via cmdline args, but
not via config files.
So 'extraArgs' is the only way to implement overridable settings,
'extraOptions' wouldn't work.
2020-03-04 18:09:52 +01:00

159 lines
4.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.electrs;
inherit (config) nix-bitcoin-services;
secretsDir = config.nix-bitcoin.secretsDir;
in {
imports = [
(mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
];
options.services.electrs = {
enable = mkEnableOption "electrs";
dataDir = mkOption {
type = types.path;
default = "/var/lib/electrs";
description = "The data directory for electrs.";
};
user = mkOption {
type = types.str;
default = "electrs";
description = "The user as which to run electrs.";
};
group = mkOption {
type = types.str;
default = cfg.user;
description = "The group as which to run electrs.";
};
high-memory = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the electrs service will sync faster on high-memory systems ( 8GB).
'';
};
address = mkOption {
type = types.str;
default = "127.0.0.1";
description = "RPC listening address.";
};
port = mkOption {
type = types.ints.u16;
default = 50001;
description = "RPC port.";
};
onionport = mkOption {
type = types.ints.u16;
default = 50002;
description = "Port on which to listen for tor client connections.";
};
extraArgs = mkOption {
type = types.separatedString " ";
default = "";
description = "Extra command line arguments passed to electrs.";
};
TLSProxy = {
enable = mkEnableOption "Nginx TLS proxy";
port = mkOption {
type = types.ints.u16;
default = 50003;
description = "Port on which to listen for TLS client connections.";
};
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable (mkMerge [{
systemd.services.electrs = {
description = "Electrs Electrum Server";
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ];
preStart = ''
mkdir -m 0770 -p ${cfg.dataDir}
chown -R '${cfg.user}:${cfg.group}' ${cfg.dataDir}
echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
> electrs.toml
'';
serviceConfig = {
RuntimeDirectory = "electrs";
RuntimeDirectoryMode = "700";
WorkingDirectory = "/run/electrs";
PermissionsStartOnly = "true";
ExecStart = ''
${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
${optionalString (!cfg.high-memory) "--jsonrpc-import --index-batch-size=10"} \
--db-dir '${cfg.dataDir}' --daemon-dir '${config.services.bitcoind.dataDir}' \
--electrum-rpc-addr=${toString cfg.address}:${toString cfg.port} ${cfg.extraArgs}
'';
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
users.users.${cfg.user} = {
description = "electrs User";
group = cfg.group;
extraGroups = [ "bitcoinrpc" "bitcoin"];
home = cfg.dataDir;
};
users.groups.${cfg.group} = {};
}
(mkIf cfg.TLSProxy.enable {
services.nginx = {
enable = true;
appendConfig = let
address =
if cfg.address == "0.0.0.0" then
"127.0.0.1"
else if cfg.address == "::" then
"::1"
else
cfg.address;
in ''
stream {
upstream electrs {
server ${address}:${toString cfg.port};
}
server {
listen ${toString cfg.TLSProxy.port} ssl;
proxy_pass electrs;
ssl_certificate ${secretsDir}/nginx-cert;
ssl_certificate_key ${secretsDir}/nginx-key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
}
}
'';
};
systemd.services = {
electrs.wants = [ "nginx.service" ];
nginx = {
requires = [ "nix-bitcoin-secrets.target" ];
after = [ "nix-bitcoin-secrets.target" ];
};
};
nix-bitcoin.secrets = rec {
nginx-key = {
user = "nginx";
group = "root";
};
nginx-cert = nginx-key;
};
})
]);
}
Reference in New Issue View Git Blame Copy Permalink