2018-11-22 16:46:56 -08:00
|
|
|
{ config, pkgs, lib, ... }:
|
2018-11-13 15:44:54 -08:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
2018-11-22 16:46:56 -08:00
|
|
|
cfg = config.services.bitcoind;
|
2019-11-27 05:04:23 -08:00
|
|
|
inherit (config) nix-bitcoin-services;
|
2020-06-22 05:10:54 -07:00
|
|
|
secretsDir = config.nix-bitcoin.secretsDir;
|
2020-04-07 14:05:02 -07:00
|
|
|
|
2018-11-13 16:33:34 -08:00
|
|
|
configFile = pkgs.writeText "bitcoin.conf" ''
|
2020-04-07 14:05:05 -07:00
|
|
|
# We're already logging via journald
|
|
|
|
nodebuglogfile=1
|
|
|
|
|
2020-10-16 08:42:57 -07:00
|
|
|
${optionalString cfg.regtest ''
|
|
|
|
regtest=1
|
|
|
|
[regtest]
|
|
|
|
''}
|
2018-11-22 16:46:56 -08:00
|
|
|
${optionalString (cfg.dbCache != null) "dbcache=${toString cfg.dbCache}"}
|
2020-07-28 07:16:22 -07:00
|
|
|
prune=${toString cfg.prune}
|
2019-03-21 03:27:28 -07:00
|
|
|
${optionalString (cfg.sysperms != null) "sysperms=${if cfg.sysperms then "1" else "0"}"}
|
|
|
|
${optionalString (cfg.disablewallet != null) "disablewallet=${if cfg.disablewallet then "1" else "0"}"}
|
2020-02-23 11:22:07 -08:00
|
|
|
${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
|
|
|
|
|
2018-11-22 16:46:56 -08:00
|
|
|
# Connection options
|
2021-01-14 04:24:01 -08:00
|
|
|
${optionalString cfg.listen "bind=${cfg.address}"}
|
|
|
|
port=${toString cfg.port}
|
2018-11-22 16:46:56 -08:00
|
|
|
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
|
|
|
listen=${if cfg.listen then "1" else "0"}
|
2020-02-23 11:22:07 -08:00
|
|
|
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
|
2020-02-25 14:00:27 -08:00
|
|
|
${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
|
2020-02-23 11:22:07 -08:00
|
|
|
|
2018-11-22 16:46:56 -08:00
|
|
|
# RPC server options
|
2021-01-14 04:24:01 -08:00
|
|
|
rpcbind=${cfg.rpc.address}
|
2019-11-27 05:04:46 -08:00
|
|
|
rpcport=${toString cfg.rpc.port}
|
2021-01-14 04:24:01 -08:00
|
|
|
rpcconnect=${cfg.rpc.address}
|
2021-01-14 04:24:02 -08:00
|
|
|
${optionalString (cfg.rpc.threads != null) "rpcthreads=${toString cfg.rpc.threads}"}
|
2020-06-22 05:12:50 -07:00
|
|
|
rpcwhitelistdefault=0
|
2020-08-26 12:15:33 -07:00
|
|
|
${concatMapStrings (user: ''
|
|
|
|
${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"}
|
|
|
|
${optionalString (user.rpcwhitelist != [])
|
|
|
|
"rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"}
|
|
|
|
'') (builtins.attrValues cfg.rpc.users)
|
2018-11-22 16:46:56 -08:00
|
|
|
}
|
2021-01-14 04:24:02 -08:00
|
|
|
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpc.allowip}
|
2018-11-22 16:46:56 -08:00
|
|
|
|
2020-02-23 11:22:07 -08:00
|
|
|
# Wallet options
|
|
|
|
${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
|
|
|
|
|
2019-09-02 14:22:29 -07:00
|
|
|
# ZMQ options
|
|
|
|
${optionalString (cfg.zmqpubrawblock != null) "zmqpubrawblock=${cfg.zmqpubrawblock}"}
|
|
|
|
${optionalString (cfg.zmqpubrawtx != null) "zmqpubrawtx=${cfg.zmqpubrawtx}"}
|
|
|
|
|
2020-04-07 14:05:03 -07:00
|
|
|
# Extra options
|
2018-11-22 16:46:56 -08:00
|
|
|
${cfg.extraConfig}
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
options = {
|
|
|
|
services.bitcoind = {
|
|
|
|
enable = mkEnableOption "Bitcoin daemon";
|
2021-01-14 04:24:01 -08:00
|
|
|
address = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
|
|
|
description = "Address to listen for peer connections.";
|
|
|
|
};
|
|
|
|
port = mkOption {
|
|
|
|
type = types.port;
|
|
|
|
default = 8333;
|
|
|
|
description = "Port to listen for peer connections.";
|
|
|
|
};
|
2018-11-22 16:46:56 -08:00
|
|
|
package = mkOption {
|
|
|
|
type = types.package;
|
2020-11-09 13:09:09 -08:00
|
|
|
default = config.nix-bitcoin.pkgs.bitcoind;
|
2019-10-02 02:32:12 -07:00
|
|
|
defaultText = "pkgs.blockchains.bitcoind";
|
2018-11-22 16:46:56 -08:00
|
|
|
description = "The package providing bitcoin binaries.";
|
|
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
example = ''
|
|
|
|
par=16
|
|
|
|
logips=1
|
|
|
|
'';
|
|
|
|
description = "Additional configurations to be appended to <filename>bitcoin.conf</filename>.";
|
|
|
|
};
|
|
|
|
dataDir = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "/var/lib/bitcoind";
|
|
|
|
description = "The data directory for bitcoind.";
|
|
|
|
};
|
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "bitcoin";
|
|
|
|
description = "The user as which to run bitcoind.";
|
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = cfg.user;
|
|
|
|
description = "The group as which to run bitcoind.";
|
|
|
|
};
|
|
|
|
rpc = {
|
2021-01-14 04:24:01 -08:00
|
|
|
address = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
|
|
|
description = ''
|
|
|
|
Address to listen for JSON-RPC connections.
|
|
|
|
'';
|
|
|
|
};
|
2018-11-22 16:46:56 -08:00
|
|
|
port = mkOption {
|
2020-06-02 08:09:52 -07:00
|
|
|
type = types.port;
|
2019-11-27 05:04:46 -08:00
|
|
|
default = 8332;
|
2021-01-14 04:24:01 -08:00
|
|
|
description = "Port to listen for JSON-RPC connections.";
|
2018-11-22 16:46:56 -08:00
|
|
|
};
|
2021-01-14 04:24:02 -08:00
|
|
|
threads = mkOption {
|
|
|
|
type = types.nullOr types.ints.u16;
|
|
|
|
default = null;
|
|
|
|
description = "The number of threads to service RPC calls.";
|
|
|
|
};
|
|
|
|
allowip = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [ "127.0.0.1" ];
|
|
|
|
description = ''
|
|
|
|
Allow JSON-RPC connections from specified sources.
|
|
|
|
'';
|
|
|
|
};
|
2018-11-22 16:46:56 -08:00
|
|
|
users = mkOption {
|
|
|
|
default = {};
|
|
|
|
example = {
|
|
|
|
alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
|
|
|
bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
|
|
|
|
};
|
2020-04-07 14:05:01 -07:00
|
|
|
type = with types; loaOf (submodule ({ name, ... }: {
|
|
|
|
options = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
2020-08-26 12:15:32 -07:00
|
|
|
default = name;
|
2020-04-07 14:05:01 -07:00
|
|
|
example = "alice";
|
|
|
|
description = ''
|
|
|
|
Username for JSON-RPC connections.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
passwordHMAC = mkOption {
|
2020-06-22 05:10:54 -07:00
|
|
|
type = types.str;
|
2020-04-07 14:05:01 -07:00
|
|
|
example = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
|
|
|
description = ''
|
|
|
|
Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the
|
|
|
|
format <SALT-HEX>$<HMAC-HEX>.
|
|
|
|
'';
|
|
|
|
};
|
2020-08-26 12:15:33 -07:00
|
|
|
passwordHMACFromFile = mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
internal = true;
|
|
|
|
default = false;
|
|
|
|
};
|
2020-06-22 05:12:50 -07:00
|
|
|
rpcwhitelist = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
List of allowed rpc calls for each user.
|
|
|
|
If empty list, rpcwhitelist is disabled for that user.
|
|
|
|
'';
|
|
|
|
};
|
2020-04-07 14:05:01 -07:00
|
|
|
};
|
|
|
|
}));
|
2018-11-22 16:46:56 -08:00
|
|
|
description = ''
|
2020-08-04 06:32:06 -07:00
|
|
|
RPC user information for JSON-RPC connections.
|
2018-11-22 16:46:56 -08:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2020-10-16 08:42:57 -07:00
|
|
|
regtest = mkOption {
|
2018-11-22 16:46:56 -08:00
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2020-10-16 08:42:57 -07:00
|
|
|
description = "Enable regtest mode.";
|
|
|
|
};
|
|
|
|
network = mkOption {
|
|
|
|
readOnly = true;
|
|
|
|
default = if cfg.regtest then "regtest" else "mainnet";
|
|
|
|
};
|
|
|
|
makeNetworkName = mkOption {
|
|
|
|
readOnly = true;
|
|
|
|
default = mainnet: regtest: if cfg.regtest then regtest else mainnet;
|
2018-11-22 16:46:56 -08:00
|
|
|
};
|
|
|
|
proxy = mkOption {
|
2019-10-15 00:37:32 -07:00
|
|
|
type = types.nullOr types.str;
|
2020-10-29 13:20:27 -07:00
|
|
|
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
|
2018-11-22 16:46:56 -08:00
|
|
|
description = "Connect through SOCKS5 proxy";
|
|
|
|
};
|
|
|
|
listen = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
If enabled, the bitcoin service will listen.
|
|
|
|
'';
|
|
|
|
};
|
2020-04-07 14:05:10 -07:00
|
|
|
dataDirReadableByGroup = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
If enabled, data dir content is readable by the bitcoind service group.
|
|
|
|
Warning: This disables bitcoind's wallet support.
|
|
|
|
'';
|
|
|
|
};
|
2019-02-25 08:00:50 -08:00
|
|
|
sysperms = mkOption {
|
2019-03-21 03:27:28 -07:00
|
|
|
type = types.nullOr types.bool;
|
|
|
|
default = null;
|
2019-02-25 08:00:50 -08:00
|
|
|
description = ''
|
2020-04-07 14:05:02 -07:00
|
|
|
Create new files with system default permissions, instead of umask 077
|
|
|
|
(only effective with disabled wallet functionality)
|
2019-02-25 08:00:50 -08:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
disablewallet = mkOption {
|
2019-03-21 03:27:28 -07:00
|
|
|
type = types.nullOr types.bool;
|
|
|
|
default = null;
|
2019-02-25 08:00:50 -08:00
|
|
|
description = ''
|
2020-04-07 14:05:02 -07:00
|
|
|
Do not load the wallet and disable wallet RPC calls
|
2019-02-25 08:00:50 -08:00
|
|
|
'';
|
|
|
|
};
|
2018-11-22 16:46:56 -08:00
|
|
|
dbCache = mkOption {
|
|
|
|
type = types.nullOr (types.ints.between 4 16384);
|
|
|
|
default = null;
|
|
|
|
example = 4000;
|
|
|
|
description = "Override the default database cache size in megabytes.";
|
|
|
|
};
|
|
|
|
prune = mkOption {
|
2020-06-07 04:40:25 -07:00
|
|
|
type = types.ints.unsigned;
|
|
|
|
default = 0;
|
2018-11-22 16:46:56 -08:00
|
|
|
example = 10000;
|
|
|
|
description = ''
|
|
|
|
Reduce storage requirements by enabling pruning (deleting) of old
|
|
|
|
blocks. This allows the pruneblockchain RPC to be called to delete
|
|
|
|
specific blocks, and enables automatic pruning of old blocks if a
|
|
|
|
target size in MiB is provided. This mode is incompatible with -txindex
|
|
|
|
and -rescan. Warning: Reverting this setting requires re-downloading
|
|
|
|
the entire blockchain. ("disable" = disable pruning blocks, "manual"
|
|
|
|
= allow manual pruning via RPC, >=550 = automatically prune block files
|
|
|
|
to stay under the specified target size in MiB)
|
|
|
|
'';
|
|
|
|
};
|
2019-08-05 01:44:38 -07:00
|
|
|
zmqpubrawblock = mkOption {
|
2019-10-15 00:37:32 -07:00
|
|
|
type = types.nullOr types.str;
|
2019-08-05 01:44:38 -07:00
|
|
|
default = null;
|
|
|
|
example = "tcp://127.0.0.1:28332";
|
|
|
|
description = "ZMQ address for zmqpubrawblock notifications";
|
|
|
|
};
|
|
|
|
zmqpubrawtx = mkOption {
|
2019-10-15 00:37:32 -07:00
|
|
|
type = types.nullOr types.str;
|
2019-08-05 01:44:38 -07:00
|
|
|
default = null;
|
|
|
|
example = "tcp://127.0.0.1:28333";
|
|
|
|
description = "ZMQ address for zmqpubrawtx notifications";
|
|
|
|
};
|
2020-02-23 11:22:07 -08:00
|
|
|
assumevalid = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
example = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
|
2020-02-25 14:00:27 -08:00
|
|
|
description = ''
|
|
|
|
If this block is in the chain assume that it and its ancestors are
|
|
|
|
valid and potentially skip their script verification.
|
|
|
|
'';
|
2020-02-23 11:22:07 -08:00
|
|
|
};
|
2020-02-25 14:00:27 -08:00
|
|
|
addnodes = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
example = [ "ecoc5q34tmbq54wl.onion" ];
|
|
|
|
description = "Add nodes to connect to and attempt to keep the connections open";
|
2020-02-23 11:22:07 -08:00
|
|
|
};
|
|
|
|
discover = mkOption {
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
default = null;
|
2020-02-25 14:00:27 -08:00
|
|
|
description = "Discover own IP addresses";
|
2020-02-23 11:22:07 -08:00
|
|
|
};
|
|
|
|
addresstype = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
example = "bech32";
|
|
|
|
description = "What type of addresses to use";
|
|
|
|
};
|
2019-11-12 10:40:30 -08:00
|
|
|
cli = mkOption {
|
|
|
|
readOnly = true;
|
2020-06-18 03:18:11 -07:00
|
|
|
type = types.package;
|
2019-11-12 10:40:30 -08:00
|
|
|
default = pkgs.writeScriptBin "bitcoin-cli" ''
|
|
|
|
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
|
|
|
|
'';
|
2020-10-29 13:20:29 -07:00
|
|
|
description = "Binary to connect with the bitcoind instance.";
|
2019-11-12 10:40:30 -08:00
|
|
|
};
|
2019-04-27 16:53:26 -07:00
|
|
|
enforceTor = nix-bitcoin-services.enforceTor;
|
2018-11-22 15:06:41 -08:00
|
|
|
};
|
2018-11-13 15:44:54 -08:00
|
|
|
};
|
2018-11-22 16:46:56 -08:00
|
|
|
|
2018-11-13 15:44:54 -08:00
|
|
|
config = mkIf cfg.enable {
|
2020-04-07 13:47:45 -07:00
|
|
|
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
2020-04-07 14:05:10 -07:00
|
|
|
|
2020-08-26 12:15:34 -07:00
|
|
|
services.bitcoind = mkMerge [
|
|
|
|
(mkIf cfg.dataDirReadableByGroup {
|
|
|
|
disablewallet = true;
|
|
|
|
sysperms = true;
|
|
|
|
})
|
|
|
|
{
|
|
|
|
rpc.users.privileged = {
|
|
|
|
passwordHMACFromFile = true;
|
|
|
|
};
|
|
|
|
rpc.users.public = {
|
|
|
|
passwordHMACFromFile = true;
|
|
|
|
rpcwhitelist = import ./bitcoind-rpc-public-whitelist.nix;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2020-04-07 14:05:10 -07:00
|
|
|
|
2020-05-06 03:43:57 -07:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
|
|
|
"d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
|
|
|
|
];
|
|
|
|
|
2018-11-22 10:49:53 -08:00
|
|
|
systemd.services.bitcoind = {
|
2018-11-22 16:46:56 -08:00
|
|
|
description = "Bitcoin daemon";
|
2019-11-27 05:04:19 -08:00
|
|
|
requires = [ "nix-bitcoin-secrets.target" ];
|
|
|
|
after = [ "network.target" "nix-bitcoin-secrets.target" ];
|
2018-11-22 10:49:53 -08:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2020-08-26 12:15:33 -07:00
|
|
|
preStart = let
|
|
|
|
extraRpcauth = concatMapStrings (name: let
|
|
|
|
user = cfg.rpc.users.${name};
|
|
|
|
in optionalString user.passwordHMACFromFile ''
|
|
|
|
echo "rpcauth=${user.name}:$(cat ${secretsDir}/bitcoin-HMAC-${name})"
|
|
|
|
''
|
|
|
|
) (builtins.attrNames cfg.rpc.users);
|
|
|
|
in ''
|
2020-08-26 12:15:31 -07:00
|
|
|
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
2020-08-26 12:15:33 -07:00
|
|
|
cfg=$(
|
|
|
|
cat ${configFile};
|
|
|
|
${extraRpcauth}
|
2020-08-26 12:15:35 -07:00
|
|
|
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
|
|
|
|
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged";
|
2020-08-26 12:15:33 -07:00
|
|
|
)
|
2020-04-07 14:05:09 -07:00
|
|
|
confFile='${cfg.dataDir}/bitcoin.conf'
|
|
|
|
if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
|
2020-08-26 12:15:31 -07:00
|
|
|
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
2020-04-07 14:05:09 -07:00
|
|
|
fi
|
2018-11-22 16:46:56 -08:00
|
|
|
'';
|
2019-11-27 05:04:46 -08:00
|
|
|
postStart = ''
|
2020-07-21 03:08:24 -07:00
|
|
|
# Poll until bitcoind accepts commands. This can take a long time.
|
2020-10-29 13:20:29 -07:00
|
|
|
while ! ${cfg.cli}/bin/bitcoin-cli getnetworkinfo &> /dev/null; do
|
2020-07-21 03:08:24 -07:00
|
|
|
sleep 1
|
2019-11-27 05:04:46 -08:00
|
|
|
done
|
|
|
|
'';
|
2020-05-05 06:18:41 -07:00
|
|
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
2018-11-22 16:46:56 -08:00
|
|
|
User = "${cfg.user}";
|
|
|
|
Group = "${cfg.group}";
|
2020-04-07 14:04:58 -07:00
|
|
|
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
2018-11-22 10:49:53 -08:00
|
|
|
Restart = "on-failure";
|
2020-04-07 14:05:10 -07:00
|
|
|
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
2020-05-05 08:15:16 -07:00
|
|
|
ReadWritePaths = "${cfg.dataDir}";
|
2020-05-05 06:18:41 -07:00
|
|
|
} // (if cfg.enforceTor
|
2019-11-07 14:58:21 -08:00
|
|
|
then nix-bitcoin-services.allowTor
|
|
|
|
else nix-bitcoin-services.allowAnyIP)
|
|
|
|
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol;
|
2018-11-19 15:09:57 -08:00
|
|
|
};
|
2019-11-12 10:40:31 -08:00
|
|
|
|
|
|
|
# Use this to update the banlist:
|
|
|
|
# wget https://people.xiph.org/~greg/banlist.cli.txt
|
2019-03-29 02:44:30 -07:00
|
|
|
systemd.services.bitcoind-import-banlist = {
|
|
|
|
description = "Bitcoin daemon banlist importer";
|
2019-11-12 10:40:32 -08:00
|
|
|
wantedBy = [ "bitcoind.service" ];
|
|
|
|
bindsTo = [ "bitcoind.service" ];
|
2019-03-26 03:39:49 -07:00
|
|
|
after = [ "bitcoind.service" ];
|
2019-11-12 10:40:33 -08:00
|
|
|
script = ''
|
2020-10-29 13:20:29 -07:00
|
|
|
cd ${cfg.cli}/bin
|
2019-11-12 10:40:33 -08:00
|
|
|
echo "Importing node banlist..."
|
2019-11-14 04:05:47 -08:00
|
|
|
cat ${./banlist.cli.txt} | while read line; do
|
|
|
|
if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then
|
|
|
|
# unexpected error
|
|
|
|
echo "$err"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
done
|
2019-03-26 03:39:49 -07:00
|
|
|
'';
|
2020-05-05 06:18:41 -07:00
|
|
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
2019-03-26 03:39:49 -07:00
|
|
|
User = "${cfg.user}";
|
|
|
|
Group = "${cfg.group}";
|
2020-05-05 08:15:16 -07:00
|
|
|
ReadWritePaths = "${cfg.dataDir}";
|
2020-05-05 06:18:41 -07:00
|
|
|
} // nix-bitcoin-services.allowTor;
|
2019-03-26 03:39:49 -07:00
|
|
|
};
|
|
|
|
|
2018-11-22 16:46:56 -08:00
|
|
|
users.users.${cfg.user} = {
|
|
|
|
group = cfg.group;
|
|
|
|
description = "Bitcoin daemon user";
|
|
|
|
};
|
2019-11-27 05:04:15 -08:00
|
|
|
users.groups.${cfg.group} = {};
|
2020-05-21 09:05:31 -07:00
|
|
|
users.groups.bitcoinrpc = {};
|
2020-09-28 04:09:03 -07:00
|
|
|
nix-bitcoin.operator.groups = [ cfg.group ];
|
2020-01-12 11:52:38 -08:00
|
|
|
|
2020-06-22 05:10:54 -07:00
|
|
|
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
|
|
|
|
nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
|
2020-01-12 11:52:38 -08:00
|
|
|
user = "bitcoin";
|
2020-05-21 09:05:31 -07:00
|
|
|
group = "bitcoinrpc";
|
2020-01-12 11:52:38 -08:00
|
|
|
};
|
2020-06-22 05:10:54 -07:00
|
|
|
|
|
|
|
nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = "bitcoin";
|
|
|
|
nix-bitcoin.secrets.bitcoin-HMAC-public.user = "bitcoin";
|
2018-11-22 10:49:53 -08:00
|
|
|
};
|
2018-11-13 15:44:54 -08:00
|
|
|
}
|