add option 'dataDirReadableByGroup'

These settings are now more accessible for users that don't use nix-bitcoin's default node config. Additionally, remove 'other' permissions via umask.
2020-04-07 23:05:10 +02:00 · 2020-04-07 23:05:10 +02:00 · 4dc6c3ba5d
parent 3e188238d0
commit 4dc6c3ba5d
3 changed files with 24 additions and 3 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -149,6 +149,14 @@ in {
          If enabled, the bitcoin service will listen.
        '';
      };
+      dataDirReadableByGroup = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, data dir content is readable by the bitcoind service group.
+          Warning: This disables bitcoind's wallet support.
+        '';
+      };
      sysperms = mkOption {
        type = types.nullOr types.bool;
        default = null;
@ -241,6 +249,12 @@ in {

  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
+
+    services.bitcoind = mkIf cfg.dataDirReadableByGroup {
+      disablewallet = true;
+      sysperms = true;
+    };
+
    systemd.services.bitcoind = {
      description = "Bitcoin daemon";
      requires = [ "nix-bitcoin-secrets.target" ];
@ -273,6 +287,7 @@ in {
        Group = "${cfg.group}";
        ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
        Restart = "on-failure";
+        UMask = mkIf cfg.dataDirReadableByGroup "0027";

        # Permission for preStart
        PermissionsStartOnly = "true";
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -81,7 +81,14 @@ in {
        PermissionsStartOnly = "true";
        ExecStart = ''
          ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
-          ${optionalString (!cfg.high-memory) "--jsonrpc-import --index-batch-size=10"} \
+          ${if cfg.high-memory then
+              traceIf (!config.services.bitcoind.dataDirReadableByGroup) ''
+                Warning: For optimal electrs syncing performance, enable services.bitcoind.dataDirReadableByGroup.
+                Note that this disables wallet support in bitcoind.
+              '' ""
+            else
+              "--jsonrpc-import --index-batch-size=10"
+          } \
          --db-dir '${cfg.dataDir}' --daemon-dir '${config.services.bitcoind.dataDir}' \
          --electrum-rpc-addr=${toString cfg.address}:${toString cfg.port} ${cfg.extraArgs}
        '';
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -46,8 +46,7 @@ in {
    services.bitcoind = {
      enable = true;
      listen = true;
-      sysperms = if cfg.electrs.enable then true else null;
-      disablewallet = if cfg.electrs.enable then true else null;
+      dataDirReadableByGroup = mkIf cfg.electrs.enable true;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      port = 8333;