netns-bitcoind: allow RPC access from main netns

modules/bitcoind.nix

@@ -40,6 +40,7 @@ let
       '') (builtins.attrValues cfg.rpc.users)
     }
     ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
+    rpcconnect=${builtins.elemAt cfg.rpcbind 0}
     ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
 
     # Wallet options
@@ -275,17 +276,12 @@ in {
         description = "What type of addresses to use";
       };
       cli = mkOption {
-        type = types.package;
-        # Overriden on netns-isolation
-        default = cfg.cliBase;
-        description = "Binary to connect with the bitcoind instance.";
-      };
-      cliBase = mkOption {
         readOnly = true;
         type = types.package;
         default = pkgs.writeScriptBin "bitcoin-cli" ''
           exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
         '';
+        description = "Binary to connect with the bitcoind instance.";
       };
       enforceTor =  nix-bitcoin-services.enforceTor;
     };
@@ -341,9 +337,8 @@ in {
         fi
       '';
       postStart = ''
-        cd ${cfg.cliBase}/bin
         # Poll until bitcoind accepts commands. This can take a long time.
-        while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do
+        while ! ${cfg.cli}/bin/bitcoin-cli getnetworkinfo &> /dev/null; do
           sleep 1
         done
       '';
@@ -368,7 +363,7 @@ in {
       bindsTo = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       script = ''
-        cd ${cfg.cliBase}/bin
+        cd ${cfg.cli}/bin
         echo "Importing node banlist..."
         cat ${./banlist.cli.txt} | while read line; do
             if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then

modules/netns-isolation.nix

@@ -252,18 +252,11 @@ in {
 
     services.bitcoind = {
       bind = netns.bitcoind.address;
-      rpcbind = [
-        "${netns.bitcoind.address}"
-        "127.0.0.1"
-      ];
+      rpcbind = [ netns.bitcoind.address ];
       rpcallowip = [
-        "127.0.0.1"
-      ] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns;
-      cli = let
-        inherit (config.services.bitcoind) cliBase;
-      in pkgs.writeScriptBin cliBase.name ''
-        exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@"
-      '';
+        bridgeIp # For operator user
+        netns.bitcoind.address
+      ] ++ map (n: netns.${n}.address) netns.bitcoind.availableNetns;
     };
     systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
 

pkgs/netns-exec/src/main.c

@@ -12,7 +12,6 @@
 static char *allowed_netns[] = {
     "nb-lnd",
     "nb-lightning-loop",
-    "nb-bitcoind",
     "nb-liquidd",
     "nb-joinmarket"
 };

test/tests.nix

@@ -145,7 +145,7 @@ let testEnv = rec {
 
       services.bitcoind.regtest = true;
       systemd.services.bitcoind.postStart = mkAfter ''
-        cli=${config.services.bitcoind.cliBase}/bin/bitcoin-cli
+        cli=${config.services.bitcoind.cli}/bin/bitcoin-cli
         address=$($cli getnewaddress)
         $cli generatetoaddress 10 $address
       '';

test/tests.py

@@ -259,10 +259,11 @@ def _():
     assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
     assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"])
 
-    # netns-exec should drop capabilities
-    assert_full_match(
-        "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
-    )
+    if "joinmarket" in enabled_tests:
+        # netns-exec should drop capabilities
+        assert_full_match(
+            "su operator -c 'netns-exec nb-joinmarket capsh --print | grep Current'", "Current: =\n"
+        )
 
     if "clightning" in enabled_tests:
         # netns-exec should fail for unauthorized namespaces