jacobpascual/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

services: add helper fn setAllowedIPAddresses

Browse Source 
Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
This commit is contained in:
Erik Arvstedt
2021-03-22 13:19:45 +01:00
parent cdf27d9d0c
commit 020433cec6
11 changed files with 22 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/bitcoind.nix
View File

@@ -357,9 +357,7 @@ in {
Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP)
} // nbLib.allowedIPAddresses cfg.enforceTor
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
};
@@ -385,7 +383,7 @@ in {
User = cfg.user;
Group = cfg.group;
ReadWritePaths = cfg.dataDir;
} // nbLib.allowTor;
} // nbLib.allowLocalIPAddresses;
};
users.users.${cfg.user}.group = cfg.group;

10
modules/btcpayserver.nix
View File

@@ -155,10 +155,7 @@ in {
RestartSec = "10s";
ReadWritePaths = cfg.nbxplorer.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.nbxplorer.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.nbxplorer.enforceTor;
};
systemd.services.btcpayserver = let
@@ -204,10 +201,7 @@ in {
RestartSec = "10s";
ReadWritePaths = cfg.btcpayserver.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.btcpayserver.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.btcpayserver.enforceTor;
}; in self;
users.users.${cfg.nbxplorer.user} = {

5
modules/clightning.nix
View File

@@ -128,10 +128,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
# Wait until the rpc socket appears
postStart = ''
while [[ ! -e ${cfg.networkDir}/lightning-rpc ]]; do

5
modules/electrs.nix
View File

@@ -102,10 +102,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${bitcoind.dataDir}" else ""}";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
users.users.${cfg.user} = {

4
modules/lightning-loop.nix
View File

@@ -102,9 +102,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
nix-bitcoin.secrets = {

4
modules/lightning-pool.nix
View File

@@ -100,9 +100,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // (nbLib.allowedIPAddresses cfg.enforceTor);
};
};
}

5
modules/liquid.nix
View File

@@ -239,10 +239,7 @@ in {
PIDFile = pidFile;
Restart = "on-failure";
ReadWritePaths = cfg.dataDir;
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
users.users.${cfg.user} = {

6
modules/lnd.nix
View File

@@ -262,10 +262,8 @@ in {
'') (attrNames cfg.macaroons)}
'')
];
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP
) // nbLib.allowAnyProtocol; # For ZMQ
} // nbLib.allowedIPAddresses cfg.enforceTor
// nbLib.allowAnyProtocol; # For ZMQ
};
users.users.${cfg.user} = {

4
modules/recurring-donations.nix
View File

@@ -83,9 +83,7 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations";
Type = "oneshot";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP);
} // nbLib.allowedIPAddresses cfg.enforceTor;
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

4
modules/spark-wallet.nix
View File

@@ -79,9 +79,7 @@ in {
User = cfg.user;
Restart = "on-failure";
RestartSec = "10s";
} // (if cfg.enforceTor
then nbLib.allowTor
else nbLib.allowAnyIP)
} // nbLib.allowedIPAddresses cfg.enforceTor
// nbLib.nodejs;
};
nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;