bitcoind: enable cookie-based authentication

This commit is contained in:
nixbitcoin 2021-02-17 13:35:31 +00:00
parent bcad047757
commit 19e401b028
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
2 changed files with 8 additions and 2 deletions

View File

@ -327,8 +327,6 @@ in {
cfg=$( cfg=$(
cat ${configFile} cat ${configFile}
${extraRpcauth} ${extraRpcauth}
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
echo echo
${optionalString (cfg.getPublicAddressCmd != "") '' ${optionalString (cfg.getPublicAddressCmd != "") ''
echo "externalip=$(${cfg.getPublicAddressCmd})" echo "externalip=$(${cfg.getPublicAddressCmd})"
@ -339,6 +337,10 @@ in {
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
fi fi
''; '';
# Enable RPC access for group
postStart = ''
chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
'';
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
Type = "notify"; Type = "notify";
NotifyAccess = "all"; NotifyAccess = "all";

View File

@ -103,6 +103,10 @@ def _():
assert_running("bitcoind") assert_running("bitcoind")
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"') assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"')
regtest = "regtest/" if "regtest" in enabled_tests else ""
assert_full_match(f"stat -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n")
# RPC access for user 'public' should be restricted # RPC access for user 'public' should be restricted
machine.fail( machine.fail(
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop" "bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"