nixos/monero: add an option to use ip ban-list (#412522)

2025-06-09 19:13:26 +03:00 · 2025-06-02 09:17:36 +02:00 · 2025-06-02 09:17:36 +02:00 · 0e0842c978
commit 0e0842c978
parent a9e8939335 1ffc904284
1 changed files with 22 additions and 1 deletions
--- a/nixos/modules/services/networking/monero.nix
+++ b/nixos/modules/services/networking/monero.nix
@ -32,6 +32,10 @@ let
        restricted-rpc=1
      ''}

+      ${lib.optionalString (banlist != null) ''
+        ban-list=${banlist}
+      ''}
+
      limit-rate-up=${toString limits.upload}
      limit-rate-down=${toString limits.download}
      max-concurrency=${toString limits.threads}
@ -64,6 +68,23 @@ in
        '';
      };

+      banlist = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        description = ''
+          Path to a text file containing IPs to block.
+          Useful to prevent DDoS/deanonymization attacks.
+
+          https://github.com/monero-project/meta/issues/1124
+        '';
+        example = lib.literalExpression ''
+          builtins.fetchurl {
+            url = "https://raw.githubusercontent.com/rblaine95/monero-banlist/c6eb9413ddc777e7072d822f49923df0b2a94d88/block.txt";
+            hash = "";
+          };
+        '';
+      };
+
      mining.enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
@ -225,7 +246,7 @@ in
      serviceConfig = {
        User = "monero";
        Group = "monero";
-        ExecStart = "${pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive";
+        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${configFile} --non-interactive";
        Restart = "always";
        SuccessExitStatus = [
          0