From 1bf45a95474781b60dc65b359e65b638a960ac98 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Mon, 22 Jun 2020 12:12:50 +0000 Subject: [PATCH] bitcoind: add rpcwhitelist feature Default behavior for rpc whitelisting is set to 0, which means that rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist` exists. --- modules/bitcoind.nix | 14 +++++++- modules/presets/secure-node.nix | 60 +++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index e998d07..2fc7573 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -28,8 +28,12 @@ let # RPC server options rpcport=${toString cfg.rpc.port} + rpcwhitelistdefault=0 ${concatMapStringsSep "\n" - (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}") + (rpcUser: '' + rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC} + ${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"} + '') (attrValues cfg.rpc.users) } ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} @@ -118,6 +122,14 @@ in { format $. ''; }; + rpcwhitelist = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of allowed rpc calls for each user. + If empty list, rpcwhitelist is disabled for that user. + ''; + }; }; config = { name = mkDefault name; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index faa91f3..37afd7d 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -82,6 +82,66 @@ in { name = "publicrpc"; # Placeholder to be sed'd out by bitcoind preStart passwordHMAC = "bitcoin-HMAC-public"; + rpcwhitelist = [ + "echo" + "getinfo" + # Blockchain + "getbestblockhash" + "getblock" + "getblockchaininfo" + "getblockcount" + "getblockfilter" + "getblockhash" + "getblockheader" + "getblockstats" + "getchaintips" + "getchaintxstats" + "getdifficulty" + "getmempoolancestors" + "getmempooldescendants" + "getmempoolentry" + "getmempoolinfo" + "getrawmempool" + "gettxout" + "gettxoutproof" + "gettxoutsetinfo" + "scantxoutset" + "verifytxoutproof" + # Mining + "getblocktemplate" + "getmininginfo" + "getnetworkhashps" + # Network + "getnetworkinfo" + # Rawtransactions + "analyzepsbt" + "combinepsbt" + "combinerawtransaction" + "converttopsbt" + "createpsbt" + "createrawtransaction" + "decodepsbt" + "decoderawtransaction" + "decodescript" + "finalizepsbt" + "fundrawtransaction" + "getrawtransaction" + "joinpsbts" + "sendrawtransaction" + "signrawtransactionwithkey" + "testmempoolaccept" + "utxoupdatepsbt" + # Util + "createmultisig" + "deriveaddresses" + "estimatesmartfee" + "getdescriptorinfo" + "signmessagewithprivkey" + "validateaddress" + "verifymessage" + # Zmq + "getzmqnotifications" + ]; }; }; services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };