bitcoind: enable cookie-based authentication

2021-02-17 13:35:31 +00:00 · 2021-02-17 13:35:31 +00:00 · 19e401b028
commit 19e401b028
parent bcad047757
2 changed files with 8 additions and 2 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -327,8 +327,6 @@ in {
        cfg=$(
          cat ${configFile}
          ${extraRpcauth}
-          ${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
-          printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
          echo
          ${optionalString (cfg.getPublicAddressCmd != "") ''
            echo "externalip=$(${cfg.getPublicAddressCmd})"
@ -339,6 +337,10 @@ in {
          install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
        fi
      '';
+      # Enable RPC access for group
+      postStart = ''
+        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      '';
      serviceConfig = nbLib.defaultHardening // {
        Type = "notify";
        NotifyAccess = "all";
--- a/test/tests.py
+++ b/test/tests.py
@ -103,6 +103,10 @@ def _():
    assert_running("bitcoind")
    machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
    assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"')
+
+    regtest = "regtest/" if "regtest" in enabled_tests else ""
+    assert_full_match(f"stat  -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n")
+
    # RPC access for user 'public' should be restricted
    machine.fail(
        "bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"