bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist` exists.
This commit is contained in:
nixbitcoin
parent
5a978a2836
commit
1bf45a9547
@ -28,8 +28,12 @@ let
|
|||||||
|
|
||||||
# RPC server options
|
# RPC server options
|
||||||
rpcport=${toString cfg.rpc.port}
|
rpcport=${toString cfg.rpc.port}
|
||||||
|
rpcwhitelistdefault=0
|
||||||
${concatMapStringsSep "\n"
|
${concatMapStringsSep "\n"
|
||||||
(rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}")
|
(rpcUser: ''
|
||||||
|
rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
|
||||||
|
${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
|
||||||
|
'')
|
||||||
(attrValues cfg.rpc.users)
|
(attrValues cfg.rpc.users)
|
||||||
}
|
}
|
||||||
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
||||||
@ -118,6 +122,14 @@ in {
|
|||||||
format <SALT-HEX>$<HMAC-HEX>.
|
format <SALT-HEX>$<HMAC-HEX>.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
rpcwhitelist = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
List of allowed rpc calls for each user.
|
||||||
|
If empty list, rpcwhitelist is disabled for that user.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
name = mkDefault name;
|
name = mkDefault name;
|
||||||
|
|||||||
@ -82,6 +82,66 @@ in {
|
|||||||
name = "publicrpc";
|
name = "publicrpc";
|
||||||
# Placeholder to be sed'd out by bitcoind preStart
|
# Placeholder to be sed'd out by bitcoind preStart
|
||||||
passwordHMAC = "bitcoin-HMAC-public";
|
passwordHMAC = "bitcoin-HMAC-public";
|
||||||
|
rpcwhitelist = [
|
||||||
|
"echo"
|
||||||
|
"getinfo"
|
||||||
|
# Blockchain
|
||||||
|
"getbestblockhash"
|
||||||
|
"getblock"
|
||||||
|
"getblockchaininfo"
|
||||||
|
"getblockcount"
|
||||||
|
"getblockfilter"
|
||||||
|
"getblockhash"
|
||||||
|
"getblockheader"
|
||||||
|
"getblockstats"
|
||||||
|
"getchaintips"
|
||||||
|
"getchaintxstats"
|
||||||
|
"getdifficulty"
|
||||||
|
"getmempoolancestors"
|
||||||
|
"getmempooldescendants"
|
||||||
|
"getmempoolentry"
|
||||||
|
"getmempoolinfo"
|
||||||
|
"getrawmempool"
|
||||||
|
"gettxout"
|
||||||
|
"gettxoutproof"
|
||||||
|
"gettxoutsetinfo"
|
||||||
|
"scantxoutset"
|
||||||
|
"verifytxoutproof"
|
||||||
|
# Mining
|
||||||
|
"getblocktemplate"
|
||||||
|
"getmininginfo"
|
||||||
|
"getnetworkhashps"
|
||||||
|
# Network
|
||||||
|
"getnetworkinfo"
|
||||||
|
# Rawtransactions
|
||||||
|
"analyzepsbt"
|
||||||
|
"combinepsbt"
|
||||||
|
"combinerawtransaction"
|
||||||
|
"converttopsbt"
|
||||||
|
"createpsbt"
|
||||||
|
"createrawtransaction"
|
||||||
|
"decodepsbt"
|
||||||
|
"decoderawtransaction"
|
||||||
|
"decodescript"
|
||||||
|
"finalizepsbt"
|
||||||
|
"fundrawtransaction"
|
||||||
|
"getrawtransaction"
|
||||||
|
"joinpsbts"
|
||||||
|
"sendrawtransaction"
|
||||||
|
"signrawtransactionwithkey"
|
||||||
|
"testmempoolaccept"
|
||||||
|
"utxoupdatepsbt"
|
||||||
|
# Util
|
||||||
|
"createmultisig"
|
||||||
|
"deriveaddresses"
|
||||||
|
"estimatesmartfee"
|
||||||
|
"getdescriptorinfo"
|
||||||
|
"signmessagewithprivkey"
|
||||||
|
"validateaddress"
|
||||||
|
"verifymessage"
|
||||||
|
# Zmq
|
||||||
|
"getzmqnotifications"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
|
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user