bitcoind: add rpc user option 'passwordHMACFromFile'

This allows adding additional rpc users without the need for user-specific code in preStart.
2020-08-26 21:15:33 +02:00 · 2020-08-26 21:15:33 +02:00 · 876cfadf1a
parent 59434e79f0
commit 876cfadf1a
2 changed files with 25 additions and 16 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -30,12 +30,11 @@ let
    ${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"}
    rpcport=${toString cfg.rpc.port}
    rpcwhitelistdefault=0
-    ${concatMapStringsSep  "\n"
-      (rpcUser: ''
-        rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
-        ${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
-      '')
-      (attrValues cfg.rpc.users)
+    ${concatMapStrings (user: ''
+        ${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"}
+        ${optionalString (user.rpcwhitelist != [])
+          "rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"}
+      '') (builtins.attrValues cfg.rpc.users)
    }
    ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
@ -123,6 +122,11 @@ in {
                  format <SALT-HEX>$<HMAC-HEX>.
                '';
              };
+              passwordHMACFromFile = mkOption {
+                type = lib.types.bool;
+                internal = true;
+                default = false;
+              };
              rpcwhitelist = mkOption {
                type = types.listOf types.str;
                default = [];
@ -296,13 +300,20 @@ in {
      requires = [ "nix-bitcoin-secrets.target" ];
      after = [ "network.target" "nix-bitcoin-secrets.target" ];
      wantedBy = [ "multi-user.target" ];
-      preStart = ''
+      preStart = let
+        extraRpcauth = concatMapStrings (name: let
+          user = cfg.rpc.users.${name};
+        in optionalString user.passwordHMACFromFile ''
+            echo "rpcauth=${user.name}:$(cat ${secretsDir}/bitcoin-HMAC-${name})"
+          ''
+        ) (builtins.attrNames cfg.rpc.users);
+      in ''
        ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
-
-        cfgpre=$(cat ${configFile}; printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged")
-        cfg=$(echo "$cfgpre" | \
-        sed "s/bitcoin-HMAC-privileged/$(cat ${secretsDir}/bitcoin-HMAC-privileged)/g" | \
-        sed "s/bitcoin-HMAC-public/$(cat ${secretsDir}/bitcoin-HMAC-public)/g")
+        cfg=$(
+          cat ${configFile};
+          ${extraRpcauth}
+          printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged";
+        )
        confFile='${cfg.dataDir}/bitcoin.conf'
        if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
          install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -77,13 +77,11 @@ in {
      rpcthreads = 16;
      rpc.users.privileged = {
        name = "bitcoinrpc";
-        # Placeholder to be sed'd out by bitcoind preStart
-        passwordHMAC = "bitcoin-HMAC-privileged";
+        passwordHMACFromFile = true;
      };
      rpc.users.public = {
        name = "publicrpc";
-        # Placeholder to be sed'd out by bitcoind preStart
-        passwordHMAC = "bitcoin-HMAC-public";
+        passwordHMACFromFile = true;
        rpcwhitelist = [
          "echo"
          "getinfo"