Import bitcoind banlist in separate service
This commit is contained in:
parent
b3e0315d8e
commit
e2f3f38876
@ -28,7 +28,7 @@ The `nix-bitcoin.nix` module provides the two profiles "minimal" and "all":
|
|||||||
|
|
||||||
* minimal
|
* minimal
|
||||||
* bitcoind (pruned) with outbound connections through Tor and inbound connections through a hidden
|
* bitcoind (pruned) with outbound connections through Tor and inbound connections through a hidden
|
||||||
service
|
service. By default loaded with banlist of spy nodes.
|
||||||
* [clightning](https://github.com/ElementsProject/lightning) with outbound connections through Tor, not listening
|
* [clightning](https://github.com/ElementsProject/lightning) with outbound connections through Tor, not listening
|
||||||
* includes "nodeinfo" script which prints basic info about the node
|
* includes "nodeinfo" script which prints basic info about the node
|
||||||
* adds non-root user "operator" which has access to bitcoin-cli and lightning-cli
|
* adds non-root user "operator" which has access to bitcoin-cli and lightning-cli
|
||||||
|
@ -217,10 +217,6 @@ in {
|
|||||||
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
|
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
|
||||||
chmod -R g+rX '${cfg.dataDir}/blocks'
|
chmod -R g+rX '${cfg.dataDir}/blocks'
|
||||||
'';
|
'';
|
||||||
postStart = ''
|
|
||||||
until '${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo; do sleep 1; done
|
|
||||||
'${pkgs.banlist}'/bin/banlist ${pkgs.altcoins.bitcoind}
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
User = "${cfg.user}";
|
User = "${cfg.user}";
|
||||||
@ -241,9 +237,51 @@ in {
|
|||||||
PermissionsStartOnly = "true";
|
PermissionsStartOnly = "true";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
systemd.services.bitcoind-add-banlist = {
|
||||||
|
description = "Bitcoin daemon banlist adder";
|
||||||
|
requires = [ "bitcoind.service" ];
|
||||||
|
after = [ "bitcoind.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
preStart = ''
|
||||||
|
echo "Checking that bitcoind is up"
|
||||||
|
# Give bitcoind time to create pid file
|
||||||
|
sleep 2
|
||||||
|
while true
|
||||||
|
do
|
||||||
|
pid=$(cat ${pidFile})
|
||||||
|
${pkgs.ps}/bin/ps -p "$pid" > /dev/null
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
echo "bitcoind already exited"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
'${cfg.package}'/bin/bitcoin-cli -datadir='${cfg.dataDir}' getnetworkinfo > /dev/null
|
||||||
|
if [ "$?" -eq 0 ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "${cfg.user}";
|
||||||
|
Group = "${cfg.group}";
|
||||||
|
ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
|
||||||
|
StateDirectory = "bitcoind";
|
||||||
|
|
||||||
|
# Hardening measures
|
||||||
|
PrivateTmp = "true";
|
||||||
|
ProtectSystem = "full";
|
||||||
|
NoNewPrivileges = "true";
|
||||||
|
PrivateDevices = "true";
|
||||||
|
MemoryDenyWriteExecute = "true";
|
||||||
|
|
||||||
|
# Permission for preStart
|
||||||
|
PermissionsStartOnly = "true";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
users.users.${cfg.user} = {
|
||||||
name = cfg.user;
|
name = cfg.user;
|
||||||
#uid = config.ids.uids.bitcoin;
|
|
||||||
group = cfg.group;
|
group = cfg.group;
|
||||||
extraGroups = [ "keys" ];
|
extraGroups = [ "keys" ];
|
||||||
description = "Bitcoin daemon user";
|
description = "Bitcoin daemon user";
|
||||||
@ -251,7 +289,6 @@ in {
|
|||||||
};
|
};
|
||||||
users.groups.${cfg.group} = {
|
users.groups.${cfg.group} = {
|
||||||
name = cfg.group;
|
name = cfg.group;
|
||||||
#gid = config.ids.gids.bitcoin;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
set +e
|
set +e
|
||||||
|
|
||||||
|
echo "Importing node banlist into bitcoind"
|
||||||
|
# banlist taken from https://people.xiph.org/~greg/banlist.cli.txt
|
||||||
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.201.53.37/32 add 31557600
|
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.201.53.37/32 add 31557600
|
||||||
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.91.234.37/32 add 31557600
|
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 101.91.234.37/32 add 31557600
|
||||||
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 103.3.61.48/32 add 31557600
|
$1/bin/bitcoin-cli -datadir=/var/lib/bitcoind setban 103.3.61.48/32 add 31557600
|
||||||
|
Loading…
Reference in New Issue
Block a user