diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index fe8e9d34..4340e7f4 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -385,13 +385,13 @@ in { users.groups.bitcoinrpc = {}; nix-bitcoin.operator.groups = [ cfg.group ]; - nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin"; + nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user; nix-bitcoin.secrets.bitcoin-rpcpassword-public = { - user = "bitcoin"; + user = cfg.user; group = "bitcoinrpc"; }; - nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = "bitcoin"; - nix-bitcoin.secrets.bitcoin-HMAC-public.user = "bitcoin"; + nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user; + nix-bitcoin.secrets.bitcoin-HMAC-public.user = cfg.user; }; } diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index a65b8fa2..a4257772 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -218,7 +218,7 @@ in { users.groups.${cfg.nbxplorer.group} = {}; users.users.${cfg.btcpayserver.user} = { group = cfg.btcpayserver.group; - extraGroups = [ "nbxplorer" ] + extraGroups = [ cfg.nbxplorer.group ] ++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user; home = cfg.btcpayserver.dataDir; }; @@ -226,10 +226,10 @@ in { nix-bitcoin.secrets = { bitcoin-rpcpassword-btcpayserver = { - user = "bitcoin"; - group = "nbxplorer"; + user = cfg.bitcoind.user; + group = cfg.nbxplorer.group; }; - bitcoin-HMAC-btcpayserver.user = "bitcoin"; + bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user; }; }; } diff --git a/modules/electrs.nix b/modules/electrs.nix index f11dc763..7c7956a0 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -110,7 +110,7 @@ in { users.users.${cfg.user} = { group = cfg.group; - extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ]; + extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ]; }; users.groups.${cfg.group} = {}; }; diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 3c84713e..c0ddc9b2 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -89,7 +89,7 @@ in { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0770 lnd lnd - -" + "d '${cfg.dataDir}' 0770 ${config.services.lnd.user} ${config.services.lnd.group} - -" ]; systemd.services.lightning-loop = { @@ -98,7 +98,7 @@ in { after = [ "lnd.service" ]; serviceConfig = nbLib.defaultHardening // { ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}"; - User = "lnd"; + User = config.services.lnd.user; Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = cfg.dataDir; @@ -108,8 +108,8 @@ in { }; nix-bitcoin.secrets = { - loop-key.user = "lnd"; - loop-cert.user = "lnd"; + loop-key.user = config.services.lnd.user; + loop-cert.user = config.services.lnd.user; }; }; } diff --git a/modules/liquid.nix b/modules/liquid.nix index a5ee67e0..de4931da 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -252,6 +252,6 @@ in { users.groups.${cfg.group} = {}; nix-bitcoin.operator.groups = [ cfg.group ]; - nix-bitcoin.secrets.liquid-rpcpassword.user = "liquid"; + nix-bitcoin.secrets.liquid-rpcpassword.user = cfg.user; }; } diff --git a/modules/lnd-rest-onion-service.nix b/modules/lnd-rest-onion-service.nix index 9af27c0d..31415f33 100644 --- a/modules/lnd-rest-onion-service.nix +++ b/modules/lnd-rest-onion-service.nix @@ -11,7 +11,7 @@ let lnd = config.services.lnd; bin = pkgs.writeScriptBin "lndconnect-rest-onion" '' - #!/usr/bin/env -S ${runAsUser} lnd ${pkgs.bash}/bin/bash + #!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash exec ${cfg.package}/bin/lndconnect \ --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \ diff --git a/modules/lnd.nix b/modules/lnd.nix index e051a299..ec8f33d2 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -124,7 +124,7 @@ in { default = pkgs.writeScriptBin "lncli" # Switch user because lnd makes datadir contents readable by user only '' - ${runAsUser} lnd ${cfg.package}/bin/lncli \ + ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --tlscertpath '${secretsDir}/lnd-cert' \ --macaroonpath '${networkDir}/admin.macaroon' "$@" @@ -139,6 +139,16 @@ in { If left empty, no address is announced. ''; }; + user = mkOption { + type = types.str; + default = "lnd"; + description = "The user as which to run LND."; + }; + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run LND."; + }; inherit (nbLib) enforceTor; }; @@ -163,7 +173,7 @@ in { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0770 lnd lnd - -" + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" ]; systemd.services.lnd = { @@ -183,7 +193,7 @@ in { RuntimeDirectory = "lnd"; # Only used to store custom macaroons RuntimeDirectoryMode = "711"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; - User = "lnd"; + User = cfg.user; Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = cfg.dataDir; @@ -206,7 +216,7 @@ in { --cacert ${secretsDir}/lnd-cert \ -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" fi - chown lnd: "$mnemonic" + chown ${cfg.user}: "$mnemonic" '') (nbLib.script "lnd-create-wallet" '' if [[ ! -f ${networkDir}/wallet.db ]]; then @@ -263,21 +273,21 @@ in { ) // nbLib.allowAnyProtocol; # For ZMQ }; - users.users.lnd = { - group = "lnd"; + users.users.${cfg.user} = { + group = cfg.group; extraGroups = [ "bitcoinrpc" ]; home = cfg.dataDir; # lnd creates .lnd dir in HOME }; - users.groups.lnd = {}; + users.groups.${cfg.group} = {}; nix-bitcoin.operator = { - groups = [ "lnd" ]; - allowRunAsUsers = [ "lnd" ]; + groups = [ cfg.group ]; + allowRunAsUsers = [ cfg.user ]; }; nix-bitcoin.secrets = { - lnd-wallet-password.user = "lnd"; - lnd-key.user = "lnd"; - lnd-cert.user = "lnd"; + lnd-wallet-password.user = cfg.user; + lnd-key.user = cfg.user; + lnd-cert.user = cfg.user; lnd-cert.permissions = "0444"; # world readable }; }; diff --git a/modules/onion-addresses.nix b/modules/onion-addresses.nix index 64cda594..e3872a94 100644 --- a/modules/onion-addresses.nix +++ b/modules/onion-addresses.nix @@ -84,7 +84,7 @@ in { ${concatMapStrings (service: '' onionFile=/var/lib/tor/onion/${service}/hostname if [[ -e $onionFile ]]; then - install -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile ${service} + install -D -o ${config.systemd.services.${service}.serviceConfig.User} -m 400 $onionFile services/${service} fi '') cfg.services} ''; diff --git a/modules/onion-services.nix b/modules/onion-services.nix index 288e673c..a250c0bb 100644 --- a/modules/onion-services.nix +++ b/modules/onion-services.nix @@ -94,7 +94,7 @@ in { in srv.public && srv.enable ) services; in genAttrs publicServices' (service: { - getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}"; + getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/services/${service}"; }); } diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index d4351d22..9386cc28 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -100,7 +100,7 @@ in { users.users.recurring-donations = { group = "recurring-donations"; - extraGroups = [ "clightning" ]; + extraGroups = [ config.services.clightning.group ]; }; users.groups.recurring-donations = {}; }; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index 419cb3c7..8ffdc21f 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -48,17 +48,27 @@ in { encodes an URL for accessing the web interface. ''; }; + user = mkOption { + type = types.str; + default = "spark-wallet"; + description = "The user as which to run spark-wallet."; + }; + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run spark-wallet."; + }; inherit (nbLib) enforceTor; }; config = mkIf cfg.enable { services.clightning.enable = true; - users.users.spark-wallet = { - group = "spark-wallet"; - extraGroups = [ "clightning" ]; + users.users.${cfg.user} = { + group = cfg.group; + extraGroups = [ config.services.clightning.group ]; }; - users.groups.spark-wallet = {}; + users.groups.${cfg.group} = {}; systemd.services.spark-wallet = { wantedBy = [ "multi-user.target" ]; @@ -66,7 +76,7 @@ in { after = [ "clightning.service" ]; script = startScript; serviceConfig = nbLib.defaultHardening // { - User = "spark-wallet"; + User = cfg.user; Restart = "on-failure"; RestartSec = "10s"; } // (if cfg.enforceTor @@ -74,6 +84,6 @@ in { else nbLib.allowAnyIP) // nbLib.nodejs; }; - nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet"; + nix-bitcoin.secrets.spark-wallet-login.user = cfg.user; }; }