From 4dc6c3ba5d627d40a9eb2bd5b408fe0c87f56c9d Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Tue, 7 Apr 2020 23:05:10 +0200 Subject: [PATCH] add option 'dataDirReadableByGroup' These settings are now more accessible for users that don't use nix-bitcoin's default node config. Additionally, remove 'other' permissions via umask. --- modules/bitcoind.nix | 15 +++++++++++++++ modules/electrs.nix | 9 ++++++++- modules/presets/secure-node.nix | 3 +-- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 2588559..4dcd020 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -149,6 +149,14 @@ in { If enabled, the bitcoin service will listen. ''; }; + dataDirReadableByGroup = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, data dir content is readable by the bitcoind service group. + Warning: This disables bitcoind's wallet support. + ''; + }; sysperms = mkOption { type = types.nullOr types.bool; default = null; @@ -241,6 +249,12 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; + + services.bitcoind = mkIf cfg.dataDirReadableByGroup { + disablewallet = true; + sysperms = true; + }; + systemd.services.bitcoind = { description = "Bitcoin daemon"; requires = [ "nix-bitcoin-secrets.target" ]; @@ -273,6 +287,7 @@ in { Group = "${cfg.group}"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; Restart = "on-failure"; + UMask = mkIf cfg.dataDirReadableByGroup "0027"; # Permission for preStart PermissionsStartOnly = "true"; diff --git a/modules/electrs.nix b/modules/electrs.nix index 3d30187..a7f0ee3 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -81,7 +81,14 @@ in { PermissionsStartOnly = "true"; ExecStart = '' ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \ - ${optionalString (!cfg.high-memory) "--jsonrpc-import --index-batch-size=10"} \ + ${if cfg.high-memory then + traceIf (!config.services.bitcoind.dataDirReadableByGroup) '' + Warning: For optimal electrs syncing performance, enable services.bitcoind.dataDirReadableByGroup. + Note that this disables wallet support in bitcoind. + '' "" + else + "--jsonrpc-import --index-batch-size=10" + } \ --db-dir '${cfg.dataDir}' --daemon-dir '${config.services.bitcoind.dataDir}' \ --electrum-rpc-addr=${toString cfg.address}:${toString cfg.port} ${cfg.extraArgs} ''; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 0d2b666..f36b2f6 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -46,8 +46,7 @@ in { services.bitcoind = { enable = true; listen = true; - sysperms = if cfg.electrs.enable then true else null; - disablewallet = if cfg.electrs.enable then true else null; + dataDirReadableByGroup = mkIf cfg.electrs.enable true; proxy = cfg.tor.client.socksListenAddress; enforceTor = true; port = 8333;