From 00a0759884b29eb7747022b22a93d479815990e8 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Wed, 25 Aug 2021 09:57:09 +0000
Subject: [PATCH] joinmarket-ob-watcher: extra permissions & functionality for
 fidelity bonds

---
 modules/joinmarket-ob-watcher.nix         | 52 +++++++++++++++++++++--
 modules/netns-isolation.nix               |  1 +
 pkgs/generate-secrets/generate-secrets.sh |  2 +
 3 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix
index 71ab397..237ddb9 100644
--- a/modules/joinmarket-ob-watcher.nix
+++ b/modules/joinmarket-ob-watcher.nix
@@ -5,7 +5,11 @@ let
   cfg = config.services.joinmarket-ob-watcher;
   nbLib = config.nix-bitcoin.lib;
   nbPkgs = config.nix-bitcoin.pkgs;
+  secretsDir = config.nix-bitcoin.secretsDir;
 
+  inherit (config.services) bitcoind;
+
+  torAddress = config.services.tor.client.socksListenAddress;
   socks5Settings = with config.services.tor.client.socksListenAddress; ''
     socks5 = true
     socks5_host = ${addr}
@@ -14,7 +18,11 @@ let
 
   configFile = builtins.toFile "config" ''
     [BLOCKCHAIN]
-    blockchain_source = no-blockchain
+    blockchain_source = bitcoin-rpc
+    network = ${bitcoind.network}
+    rpc_host = ${bitcoind.rpc.address}
+    rpc_port = ${toString bitcoind.rpc.port}
+    rpc_user = ${bitcoind.rpc.users.joinmarket-ob-watcher.name}
 
     [MESSAGING:server1]
     host = darkirc6tqgpnwd3blln3yfv5ckl47eg7llfxkmtovrv7c7iwohhb6ad.onion
@@ -48,6 +56,16 @@ in {
       default = "/var/lib/joinmarket-ob-watcher";
       description = "The data directory for JoinMarket orderbook watcher.";
     };
+    user = mkOption {
+      type = types.str;
+      default = "joinmarket-ob-watcher";
+      description = "The user as which to run JoinMarket.";
+    };
+    group = mkOption {
+      type = types.str;
+      default = cfg.user;
+      description = "The group as which to run JoinMarket.";
+    };
     # This option is only used by netns-isolation
     enforceTor = mkOption {
       readOnly = true;
@@ -56,12 +74,23 @@ in {
   };
 
   config = mkIf cfg.enable {
+    services.bitcoind.rpc.users.joinmarket-ob-watcher = {
+      passwordHMACFromFile = true;
+      rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
+        "listwallets"
+      ];
+    };
+
     # Joinmarket is Tor-only
     services.tor = {
       enable = true;
       client.enable = true;
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.joinmarket-ob-watcher = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "tor.service" ];
@@ -69,13 +98,18 @@ in {
       # The service writes to HOME/.config/matplotlib
       environment.HOME = cfg.dataDir;
       preStart = ''
-        ln -snf ${configFile} ${cfg.dataDir}/joinmarket.cfg
+        {
+          cat ${configFile}
+          echo
+          echo '[BLOCKCHAIN]'
+          echo "rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-joinmarket-ob-watcher)"
+        } > '${cfg.dataDir}/joinmarket.cfg'
       '';
       serviceConfig = nbLib.defaultHardening // rec {
-        DynamicUser = true;
         StateDirectory = "joinmarket-ob-watcher";
         StateDirectoryMode = "770";
         WorkingDirectory = cfg.dataDir; # The service creates dir 'logs' in the working dir
+        User = cfg.user;
         ExecStart = ''
           ${nbPkgs.joinmarket}/bin/jm-ob-watcher --datadir=${cfg.dataDir} \
             --host=${cfg.address} --port=${toString cfg.port}
@@ -85,5 +119,17 @@ in {
         RestartSec = "10s";
       } // nbLib.allowTor;
     };
+
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.dataDir;
+    };
+    users.groups.${cfg.group} = {};
+
+    nix-bitcoin.secrets = {
+      bitcoin-rpcpassword-joinmarket-ob-watcher.user = cfg.user;
+      bitcoin-HMAC-joinmarket-ob-watcher.user = bitcoind.user;
+    };
   };
 }
diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 83db4cc..e7ea4c5 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -251,6 +251,7 @@ in {
       };
       joinmarket-ob-watcher = {
         id = 26;
+        connections = [ "bitcoind" ];
       };
       lightning-pool = {
         id = 27;
diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh
index 9684b9f..56d0f4a 100755
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@@ -15,6 +15,7 @@ makeHMAC() {
 
 makePasswordSecret bitcoin-rpcpassword-privileged
 makePasswordSecret bitcoin-rpcpassword-btcpayserver
+makePasswordSecret bitcoin-rpcpassword-joinmarket-ob-watcher
 makePasswordSecret bitcoin-rpcpassword-public
 makePasswordSecret lnd-wallet-password
 makePasswordSecret liquid-rpcpassword
@@ -25,6 +26,7 @@ makePasswordSecret jm-wallet-password
 [[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
 [[ -e bitcoin-HMAC-public ]] || makeHMAC public
 [[ -e bitcoin-HMAC-btcpayserver ]] || makeHMAC btcpayserver
+[[ -e bitcoin-HMAC-joinmarket-ob-watcher ]] || makeHMAC joinmarket-ob-watcher
 [[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
 [[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env