diff --git a/modules/bitcoind-rpc-public-whitelist.nix b/modules/bitcoind-rpc-public-whitelist.nix new file mode 100644 index 0000000..dada244 --- /dev/null +++ b/modules/bitcoind-rpc-public-whitelist.nix @@ -0,0 +1,61 @@ +# RPC calls that are safe for public use +[ + "echo" + "getinfo" + # Blockchain + "getbestblockhash" + "getblock" + "getblockchaininfo" + "getblockcount" + "getblockfilter" + "getblockhash" + "getblockheader" + "getblockstats" + "getchaintips" + "getchaintxstats" + "getdifficulty" + "getmempoolancestors" + "getmempooldescendants" + "getmempoolentry" + "getmempoolinfo" + "getrawmempool" + "gettxout" + "gettxoutproof" + "gettxoutsetinfo" + "scantxoutset" + "verifytxoutproof" + # Mining + "getblocktemplate" + "getmininginfo" + "getnetworkhashps" + # Network + "getnetworkinfo" + # Rawtransactions + "analyzepsbt" + "combinepsbt" + "combinerawtransaction" + "converttopsbt" + "createpsbt" + "createrawtransaction" + "decodepsbt" + "decoderawtransaction" + "decodescript" + "finalizepsbt" + "fundrawtransaction" + "getrawtransaction" + "joinpsbts" + "sendrawtransaction" + "signrawtransactionwithkey" + "testmempoolaccept" + "utxoupdatepsbt" + # Util + "createmultisig" + "deriveaddresses" + "estimatesmartfee" + "getdescriptorinfo" + "signmessagewithprivkey" + "validateaddress" + "verifymessage" + # Zmq + "getzmqnotifications" +] diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 6e785ad..d62ca35 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -285,10 +285,23 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; - services.bitcoind = mkIf cfg.dataDirReadableByGroup { - disablewallet = true; - sysperms = true; - }; + services.bitcoind = mkMerge [ + (mkIf cfg.dataDirReadableByGroup { + disablewallet = true; + sysperms = true; + }) + { + rpc.users.privileged = { + name = "bitcoinrpc"; + passwordHMACFromFile = true; + }; + rpc.users.public = { + name = "publicrpc"; + passwordHMACFromFile = true; + rpcwhitelist = import ./bitcoind-rpc-public-whitelist.nix; + }; + } + ]; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 8194b3e..1447532 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -75,74 +75,6 @@ in { # higher rpcthread count due to reports that lightning implementations fail # under high bitcoind rpc load rpcthreads = 16; - rpc.users.privileged = { - name = "bitcoinrpc"; - passwordHMACFromFile = true; - }; - rpc.users.public = { - name = "publicrpc"; - passwordHMACFromFile = true; - rpcwhitelist = [ - "echo" - "getinfo" - # Blockchain - "getbestblockhash" - "getblock" - "getblockchaininfo" - "getblockcount" - "getblockfilter" - "getblockhash" - "getblockheader" - "getblockstats" - "getchaintips" - "getchaintxstats" - "getdifficulty" - "getmempoolancestors" - "getmempooldescendants" - "getmempoolentry" - "getmempoolinfo" - "getrawmempool" - "gettxout" - "gettxoutproof" - "gettxoutsetinfo" - "scantxoutset" - "verifytxoutproof" - # Mining - "getblocktemplate" - "getmininginfo" - "getnetworkhashps" - # Network - "getnetworkinfo" - # Rawtransactions - "analyzepsbt" - "combinepsbt" - "combinerawtransaction" - "converttopsbt" - "createpsbt" - "createrawtransaction" - "decodepsbt" - "decoderawtransaction" - "decodescript" - "finalizepsbt" - "fundrawtransaction" - "getrawtransaction" - "joinpsbts" - "sendrawtransaction" - "signrawtransactionwithkey" - "testmempoolaccept" - "utxoupdatepsbt" - # Util - "createmultisig" - "deriveaddresses" - "estimatesmartfee" - "getdescriptorinfo" - "signmessagewithprivkey" - "validateaddress" - "verifymessage" - # Zmq - "getzmqnotifications" - ]; - }; }; services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };