Import bitcoind banlist in separate service

This commit is contained in:
Jonas Nick 2019-03-26 10:39:49 +00:00
parent b3e0315d8e
commit e2f3f38876
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
3 changed files with 46 additions and 7 deletions

View File

@ -28,7 +28,7 @@ The `nix-bitcoin.nix` module provides the two profiles "minimal" and "all":
* minimal
* bitcoind (pruned) with outbound connections through Tor and inbound connections through a hidden
service
service. By default loaded with banlist of spy nodes.
* [clightning](https://github.com/ElementsProject/lightning) with outbound connections through Tor, not listening
* includes "nodeinfo" script which prints basic info about the node
* adds non-root user "operator" which has access to bitcoin-cli and lightning-cli

View File

@ -217,10 +217,6 @@ in {
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
chmod -R g+rX '${cfg.dataDir}/blocks'
'';
postStart = ''
until '${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo; do sleep 1; done
'${pkgs.banlist}'/bin/banlist ${pkgs.altcoins.bitcoind}
'';
serviceConfig = {
Type = "simple";
User = "${cfg.user}";
@ -241,9 +237,51 @@ in {
PermissionsStartOnly = "true";
};
};
systemd.services.bitcoind-add-banlist = {
description = "Bitcoin daemon banlist adder";
requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
echo "Checking that bitcoind is up"
# Give bitcoind time to create pid file
sleep 2
while true
do
pid=$(cat ${pidFile})
${pkgs.ps}/bin/ps -p "$pid" > /dev/null
if [ "$?" -ne 0 ]; then
echo "bitcoind already exited"
break
fi
'${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo > /dev/null
if [ "$?" -eq 0 ]; then
break
fi
sleep 1
done
'';
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
Group = "${cfg.group}";
ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
StateDirectory = "bitcoind";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart
PermissionsStartOnly = "true";
};
};
users.users.${cfg.user} = {
name = cfg.user;
#uid = config.ids.uids.bitcoin;
group = cfg.group;
extraGroups = [ "keys" ];
description = "Bitcoin daemon user";
@ -251,7 +289,6 @@ in {
};
users.groups.${cfg.group} = {
name = cfg.group;
#gid = config.ids.gids.bitcoin;
};
};
}

View File

@ -1,5 +1,7 @@
set +e
echo "Importing node banlist into bitcoind"
# banlist taken from https://people.xiph.org/~greg/banlist.cli.txt
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.201.53.37/32 add 31557600
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.91.234.37/32 add 31557600
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 103.3.61.48/32 add 31557600