Merge #481: services: set systemd list options as list values

jonasnick · jonasnick · commit 24c3d68eee68 · 2022-05-07T19:59:34.000Z
e6bb281 services: set systemd list options as list values (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK e6bb281 Tree-SHA512: 1d2fa23de5903d32b5c0c64e362c0b21b566653dced1894c95409aed45f0a9d3a95cf1346482f0aa53da035907a12af199107b254acad820b44b87d3e88a37f7
diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
@@ -423,7 +423,7 @@ in {
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };
@@ -449,7 +449,7 @@ in {
       serviceConfig = nbLib.defaultHardening // {
         User = cfg.user;
         Group = cfg.group;
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowLocalIPAddresses;
     };
 
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
@@ -192,7 +192,7 @@ in {
         User = cfg.nbxplorer.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.nbxplorer.dataDir;
+        ReadWritePaths = [ cfg.nbxplorer.dataDir ];
         MemoryDenyWriteExecute = "false";
       } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
     };
@@ -245,7 +245,7 @@ in {
         User = cfg.btcpayserver.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.btcpayserver.dataDir;
+        ReadWritePaths = [ cfg.btcpayserver.dataDir ];
         MemoryDenyWriteExecute = "false";
       } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
     }; in self;
diff --git a/modules/clightning-rest.nix b/modules/clightning-rest.nix
@@ -96,7 +96,7 @@ in {
         User = clightning.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // nbLib.nodejs;
     };
diff --git a/modules/clightning.nix b/modules/clightning.nix
@@ -148,7 +148,7 @@ in {
         User = cfg.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
       # Wait until the rpc socket appears
       postStart = ''
diff --git a/modules/electrs.nix b/modules/electrs.nix
@@ -92,7 +92,7 @@ in {
         Group = cfg.group;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 
diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
@@ -328,7 +328,7 @@ in {
         User = cfg.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 
@@ -368,7 +368,7 @@ in {
         # because it provides the wallet password via stdin to the main process
         SyslogIdentifier = "joinmarket-yieldgenerator";
         User = cfg.user;
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowTor;
     };
   })
diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
@@ -106,7 +106,7 @@ in {
         User = lnd.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 
diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix
@@ -103,7 +103,7 @@ in {
         User = "lnd";
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // (nbLib.allowedIPAddresses cfg.tor.enforce)
         // nbLib.allowNetlink; # required by gRPC-Go
     };
diff --git a/modules/liquid.nix b/modules/liquid.nix
@@ -274,7 +274,7 @@ in {
         TimeoutStopSec = "10min";
         ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 
diff --git a/modules/lnd.nix b/modules/lnd.nix
@@ -232,7 +232,7 @@ in {
         TimeoutSec = "15min";
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
         ExecStartPost = let
           curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
           restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
diff --git a/modules/rtl.nix b/modules/rtl.nix
@@ -185,7 +185,7 @@ in {
         User = cfg.user;
         Restart = "on-failure";
         RestartSec = "10s";
-        ReadWritePaths = cfg.dataDir;
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // nbLib.nodejs;
     };
diff --git a/pkgs/lib.nix b/pkgs/lib.nix
@@ -46,7 +46,11 @@ let self = {
 
   # Allow takes precedence over Deny.
   allowLocalIPAddresses = {
-    IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
+    IPAddressAllow = [
+      "127.0.0.1/32"
+      "::1/128"
+      "169.254.0.0/16"
+    ];
   };
   allowAllIPAddresses = { IPAddressAllow = "any"; };
   allowTor = self.allowLocalIPAddresses;
