Skip to content

Commit

Permalink
lightning-charge: Run under lightning-charge user
Browse files Browse the repository at this point in the history
It has been possible to set JSON-RPC socket permissions since
ElementsProject/lightning#3437.
This commit makes the clightning JSON-RPC socket group readable and
writeable, runs lightning-charge under its own user with clightning
membership, and removes related warnings.

I haven't figured out a good way to migrate an existing
lightning-charge.db to the right ownership and permissions.

I thought about removing the lightning-cli option, but I think it's
actually not a good idea to run lightning-cli with another user anyway,
I ask for feedback on this.
  • Loading branch information
nixbitcoin committed May 3, 2020
1 parent 24253c6 commit 4bdeb60
Show file tree
Hide file tree
Showing 6 changed files with 300 additions and 674 deletions.
5 changes: 3 additions & 2 deletions modules/clightning.nix
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ let
always-use-proxy=${if cfg.always-use-proxy then "true" else "false"}
${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"}
bitcoin-rpcuser=${cfg.bitcoin-rpcuser}
rpc-file-mode=0660
'';
in {
options.services.clightning = {
Expand Down Expand Up @@ -61,8 +62,6 @@ in {
cli = mkOption {
readOnly = true;
default = pkgs.writeScriptBin "lightning-cli"
# Switch user because c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
''
exec sudo -u clightning ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
'';
Expand All @@ -89,6 +88,8 @@ in {
mkdir -m 0770 -p ${cfg.dataDir}
cp ${configFile} ${cfg.dataDir}/config
chown -R 'clightning:clightning' '${cfg.dataDir}'
# give group access to allow using clightning group processes
chmod g+X ${cfg.dataDir}/bitcoin
# give group read access to allow using lightning-cli
chmod u=rw,g=r,o= ${cfg.dataDir}/config
# The RPC socket has to be removed otherwise we might have stale sockets
Expand Down
19 changes: 14 additions & 5 deletions modules/lightning-charge.nix
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,34 @@ in {
};

config = mkIf cfg.enable {
users.users.lightning-charge = {
description = "lightning-charge User";
group = "lightning-charge";
extraGroups = [ "clightning" ];
};
users.groups.lightning-charge = {};

environment.systemPackages = [ pkgs.nix-bitcoin.lightning-charge ];
systemd.services.lightning-charge = {
description = "Run lightning-charge";
wantedBy = [ "multi-user.target" ];
requires = [ "clightning.service" ];
after = [ "clightning.service" ];
preStart = ''
chown ${config.users.users.lightning-charge.name}:${config.users.users.lightning-charge.group} ${config.services.clightning.dataDir}/lightning-charge.db
'';
serviceConfig = {
PermissionsStartOnly = "true";
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${config.services.clightning.dataDir}/lightning-charge.db";
# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket,
# so this must run as the clightning user
# https://github.com/ElementsProject/lightning/issues/1366
User = "clightning";
User = "lightning-charge";
Group = "clightning";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
nix-bitcoin.secrets.lightning-charge-env.user = "clightning";
nix-bitcoin.secrets.lightning-charge-env.user = "lightning-charge";
};
}
2 changes: 0 additions & 2 deletions modules/presets/secure-node.nix
Original file line number Diff line number Diff line change
Expand Up @@ -132,8 +132,6 @@ in {
services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
security.sudo.configFile =
(optionalString cfg.clightning.enable ''
operator ALL=(clightning) NOPASSWD: ALL
Expand Down
Loading

0 comments on commit 4bdeb60

Please sign in to comment.