Give operator access to onion hostnames through new onion-manager module

2019-03-29 14:46:13 +00:00 · 2019-03-29 14:46:13 +00:00 · aba1b7dfc2
commit aba1b7dfc2
parent 9201af2342
3 changed files with 99 additions and 8 deletions
--- a/modules/nix-bitcoin.nix
+++ b/modules/nix-bitcoin.nix
@ -42,6 +42,7 @@ in {
    ./liquid.nix
    ./spark-wallet.nix
    ./electrs.nix
+    ./onion-chef.nix
  ];

  options.services.nix-bitcoin = {
@ -121,8 +122,11 @@ in {
      isNormalUser = true;
      extraGroups = [ "clightning" config.services.bitcoind.group ]
        ++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ]);
-
    };
+    # Give operator access to onion hostnames
+    services.onion-chef.enable = true;
+    services.onion-chef.access.operator = [ "bitcoind" "clightning" "ngninx" "liquidd" "spark-wallet" "electrs" "sshd" ];
+
    environment.interactiveShellInit = ''
      alias bitcoin-cli='bitcoin-cli -datadir=${config.services.bitcoind.dataDir}'
      alias lightning-cli='sudo -u clightning lightning-cli --lightning-dir=${config.services.clightning.dataDir}'
--- a/modules/onion-chef.nix
+++ b/modules/onion-chef.nix
@ -0,0 +1,87 @@
+# The onion chef module allows unprivileged users to read onion hostnames.
+# By default the onion hostnames in /var/lib/tor/onion are only readable by the
+# tor user. The onion chef copies the onion hostnames into into
+# /var/lib/onion-chef and sets permissions according to the access option.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.onion-chef;
+  dataDir = "/var/lib/onion-chef/";
+  onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
+    # wait until tor is up
+    until ls -l /var/lib/tor/state; do sleep 1; done
+
+    mkdir -p -m 0755 ${dataDir}
+    cd ${dataDir}
+
+    # Create directory for every user and set permissions
+    ${ builtins.foldl'
+      (x: user: x +
+        ''
+        mkdir -p -m 0700 ${user}
+        chown ${user} ${user}
+          # Copy onion hostnames into the user's directory
+          ${ builtins.foldl'
+            (x: onion: x +
+              ''
+              ONION_FILE=/var/lib/tor/onion/${onion}/hostname
+              if [ -e "$ONION_FILE" ]; then
+                cp $ONION_FILE ${user}/${onion}
+                chown ${user} ${user}/${onion}
+              fi
+              '')
+            ""
+            (builtins.getAttr user cfg.access)
+          }
+        '')
+      ""
+      (builtins.attrNames cfg.access)
+    }
+  '';
+in {
+  options.services.onion-chef = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, the onion-chef service will be installed.
+      '';
+    };
+    access = mkOption {
+      type = types.attrs;
+      default = {};
+      description = ''
+        This option controls who is allowed to access onion hostnames.  For
+        example the following allows the user operator to access the bitcoind
+        and clightning onion.
+        {
+          "operator" = [ "bitcoind" "clightning" ];
+        };
+        The onion hostnames can then be read from
+        /var/lib/onion-chef/<user>.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.onion-chef = {
+      description = "Run onion-chef";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "tor.service" ];
+      partOf = [ "tor.service" ];
+      after = [ "tor.service" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
+        User = "root";
+        Type = "oneshot";
+        PrivateTmp = "true";
+        ProtectSystem = "full";
+        NoNewPrivileges = "true";
+        PrivateDevices = "true";
+      };
+    };
+  };
+}