servo: clightning: allow group members to run lightning-cli

2024-01-11 15:59:32 +00:00 · 2024-01-11 15:59:32 +00:00 · e2a43ddfa0
parent b2ba204ca1
commit e2a43ddfa0
3 changed files with 9 additions and 5 deletions
--- a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@ -7,7 +7,6 @@
 #
 # management/setup/use:
 # - guide: <https://github.com/ElementsProject/lightning>
-# - `sudo -u clightning -g clightning lightning-cli help`
 #
 # debugging:
 # - `lightning-cli getlog debug`
@ -74,9 +73,12 @@
 { config, ... }:
 {
  sane.persist.sys.byStore.ext = [
-    { user = "clightning"; group = "clightning"; mode = "0700"; path = "/var/lib/clightning"; }
+    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; }
  ];

+  # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
+  sane.user.fs.".lightning".symlink.target = "/var/lib/clightning";
+
  # see bitcoin.nix for how to generate this
  services.bitcoind.mainnet.rpc.users.clightning.passwordHMAC =
    "befcb82d9821049164db5217beb85439$2c31ac7db3124612e43893ae13b9527dbe464ab2d992e814602e7cb07dc28985";
@ -118,7 +120,7 @@
  '';
  sane.services.clightning.extraConfigFiles = [ config.sops.secrets."lightning-config".path ];
  sops.secrets."lightning-config" = {
-    mode = "0600";
+    mode = "0640";
    owner = "clightning";
    group = "clightning";
  };
--- a/hosts/common/users/colin.nix
+++ b/hosts/common/users/colin.nix
@ -13,6 +13,7 @@
    ];
    group = "users";
    extraGroups = [
+      "clightning"  # servo, for clightning-cli
      "dialout"  # required for modem access (moby)
      "export"  # to read filesystem exports (servo)
      "feedbackd"  # moby, so `fbcli` can control vibrator and LEDs
--- a/modules/services/clightning.nix
+++ b/modules/services/clightning.nix
@ -203,7 +203,7 @@ in
            sleep 0.1
        done
        # Needed to enable lightning-cli for users with group 'clightning'
-        chmod g+x ${cfg.networkDir}
+        chmod g+rx ${cfg.networkDir}
      '';
    };

@ -218,7 +218,8 @@ in
    sane.fs."${cfg.dataDir}".dir.acl = {
      user = cfg.user;
      group = cfg.group;
-      mode = "0700";
+      # must be traversable by group, for `lightning-cli` to be usable by group members.
+      mode = "0710";
    };

    # ~/.lightning is needed only when interactively calling `lightning-cli` as the `clightning` user.