From e2f3f38876a5fcc37689787fbd0712f8c1d2b36f Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Tue, 26 Mar 2019 10:39:49 +0000 Subject: [PATCH] Import bitcoind banlist in separate service --- README.md | 2 +- modules/bitcoind.nix | 49 ++++++++++++++++++++++++++++++++++++++------ pkgs/banlist.sh | 2 ++ 3 files changed, 46 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4c7b924..8122ae8 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ The `nix-bitcoin.nix` module provides the two profiles "minimal" and "all": * minimal * bitcoind (pruned) with outbound connections through Tor and inbound connections through a hidden - service + service. By default loaded with banlist of spy nodes. * [clightning](https://github.com/ElementsProject/lightning) with outbound connections through Tor, not listening * includes "nodeinfo" script which prints basic info about the node * adds non-root user "operator" which has access to bitcoin-cli and lightning-cli diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index b8d4aae..696776c 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -217,10 +217,6 @@ in { echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf' chmod -R g+rX '${cfg.dataDir}/blocks' ''; - postStart = '' - until '${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo; do sleep 1; done - '${pkgs.banlist}'/bin/banlist ${pkgs.altcoins.bitcoind} - ''; serviceConfig = { Type = "simple"; User = "${cfg.user}"; @@ -241,9 +237,51 @@ in { PermissionsStartOnly = "true"; }; }; + systemd.services.bitcoind-add-banlist = { + description = "Bitcoin daemon banlist adder"; + requires = [ "bitcoind.service" ]; + after = [ "bitcoind.service" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + echo "Checking that bitcoind is up" + # Give bitcoind time to create pid file + sleep 2 + while true + do + pid=$(cat ${pidFile}) + ${pkgs.ps}/bin/ps -p "$pid" > /dev/null + if [ "$?" -ne 0 ]; then + echo "bitcoind already exited" + break + fi + '${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo > /dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + ''; + serviceConfig = { + Type = "oneshot"; + User = "${cfg.user}"; + Group = "${cfg.group}"; + ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}"; + StateDirectory = "bitcoind"; + + # Hardening measures + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + + # Permission for preStart + PermissionsStartOnly = "true"; + }; + }; + users.users.${cfg.user} = { name = cfg.user; - #uid = config.ids.uids.bitcoin; group = cfg.group; extraGroups = [ "keys" ]; description = "Bitcoin daemon user"; @@ -251,7 +289,6 @@ in { }; users.groups.${cfg.group} = { name = cfg.group; - #gid = config.ids.gids.bitcoin; }; }; } diff --git a/pkgs/banlist.sh b/pkgs/banlist.sh index d3d39cb..36534e4 100644 --- a/pkgs/banlist.sh +++ b/pkgs/banlist.sh @@ -1,5 +1,7 @@ set +e +echo "Importing node banlist into bitcoind" +# banlist taken from https://people.xiph.org/~greg/banlist.cli.txt $1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.201.53.37/32 add 31557600 $1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.91.234.37/32 add 31557600 $1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 103.3.61.48/32 add 31557600