nodeinfo: Convert to module and allow alternative operator username

currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-03 16:42:53 +02:00 · 2020-05-03 16:42:53 +02:00 · 5d01ea7101
commit 5d01ea7101
parent 95d230d1d6
7 changed files with 86 additions and 75 deletions
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -5,12 +5,18 @@ with lib;
 let
  cfg = config.services;

+  operatorName = config.nix-bitcoin.operatorName;
+
  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };
 in {
-  imports = [ ../modules.nix ];
+  imports = [
+    ../modules.nix
+    ../nodeinfo.nix
+    ../nix-bitcoin-webindex.nix
+  ];

  options = {
    services.clightning.onionport = mkOption {
@ -18,12 +24,16 @@ in {
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };
-
    services.electrs.onionport = mkOption {
      type = types.ints.u16;
      default = 50002;
      description = "Port on which to listen for tor client connections.";
    };
+    nix-bitcoin.operatorName = mkOption {
+      type = types.str;
+      default = "operator";
+      description = "Less-privileged user's name.";
+    };
  };

  config =  {
@ -111,11 +121,10 @@ in {
      tor
      jq
      qrencode
-      nix-bitcoin.nodeinfo
    ];

-    # Create user 'operator' which can access the node's services
-    users.users.operator = {
+    # Create operator user which can access the node's services
+    users.users.${operatorName} = {
      isNormalUser = true;
      extraGroups = [
          "systemd-journal"
@ -130,18 +139,18 @@ in {
    };
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
-    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
+    services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

    security.sudo.configFile =
     (optionalString cfg.lnd.enable ''
-       operator    ALL=(lnd) NOPASSWD: ALL
+       ${operatorName}    ALL=(lnd) NOPASSWD: ALL
     '');

    # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
    systemd.services.get-vbox-nixops-client-key =
      mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
        postStart = ''
-          cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.operator.home}"
+          cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
        '';
      };
  };