greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #325: bitcoind: enable cookie-based authentication 

4e9059dc07 bitcoind: rename group bitcoinrpc -> bitcoinrpc-public (nixbitcoin)
19e401b028 bitcoind: enable cookie-based authentication (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 4e9059dc07

Tree-SHA512: 9795a0fe7fdd84bc3ae94b882b106f7169205e3196ecdfc6dad01c4f2d62380711b6504f221a90f21e8cc34cda2e12df05a245d5c54f9ed7846d74835cac5e19
This commit is contained in:
Jonas Nick 2021-02-18 12:08:34 +00:00
parent bcad047757 4e9059dc07
commit e160e17dca
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
7 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/bitcoind.nix
View File

@ -327,8 +327,6 @@ in {
cfg=$(
cat ${configFile}
${extraRpcauth}
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
echo
${optionalString (cfg.getPublicAddressCmd != "") ''
echo "externalip=$(${cfg.getPublicAddressCmd})"
@ -339,6 +337,10 @@ in {
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
fi
'';
# Enable RPC access for group
postStart = ''
chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
'';
serviceConfig = nbLib.defaultHardening // {
Type = "notify";
NotifyAccess = "all";
@ -382,13 +384,13 @@ in {
users.users.${cfg.user}.group = cfg.group;
users.groups.${cfg.group} = {};
users.groups.bitcoinrpc = {};
users.groups.bitcoinrpc-public = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user;
nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
user = cfg.user;
group = "bitcoinrpc";
group = "bitcoinrpc-public";
};
nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user;

2
modules/btcpayserver.nix
View File

@ -212,7 +212,7 @@ in {
users.users.${cfg.nbxplorer.user} = {
group = cfg.nbxplorer.group;
extraGroups = [ "bitcoinrpc" ];
extraGroups = [ "bitcoinrpc-public" ];
home = cfg.nbxplorer.dataDir;
};
users.groups.${cfg.nbxplorer.group} = {};

2
modules/clightning.nix
View File

@ -144,7 +144,7 @@ in {
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
extraGroups = [ "bitcoinrpc-public" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];

2
modules/electrs.nix
View File

@ -110,7 +110,7 @@ in {
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ];
extraGroups = [ "bitcoinrpc-public" ] ++ optionals cfg.high-memory [ bitcoind.user ];
};
users.groups.${cfg.group} = {};
};

2
modules/liquid.nix
View File

@ -247,7 +247,7 @@ in {
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
extraGroups = [ "bitcoinrpc-public" ];
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ];

2
modules/lnd.nix
View File

@ -275,7 +275,7 @@ in {
users.users.${cfg.user} = {
group = cfg.group;
extraGroups = [ "bitcoinrpc" ];
extraGroups = [ "bitcoinrpc-public" ];
home = cfg.dataDir; # lnd creates .lnd dir in HOME
};
users.groups.${cfg.group} = {};

4
test/tests.py
View File

@ -103,6 +103,10 @@ def _():
assert_running("bitcoind")
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"')
regtest = "regtest/" if "regtest" in enabled_tests else ""
assert_full_match(f"stat -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n")
# RPC access for user 'public' should be restricted
machine.fail(
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"