joinmarket: run with group 'bitcoin'

Don't copy bitcoin-rpcpassword-privileged as root, instead run service with group "bitcoin". Same effect, less complexity. Note, PoLP still obeyed for joinmarket-ob-watcher.
2021-08-08 10:58:48 +02:00 · 2021-08-08 10:58:48 +02:00 · 6258d64cb6
commit 6258d64cb6
parent ed480a35af
1 changed files with 2 additions and 2 deletions
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@ -232,7 +232,7 @@ in {
      requires = [ "bitcoind.service" ];
      after = [ "bitcoind.service" ];
      serviceConfig = nbLib.defaultHardening // {
-        ExecStartPre = nbLib.privileged "joinmarket-create-config" ''
+        ExecStartPre = nbLib.script "joinmarket-create-config" ''
          install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
          sed -i \
             "s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
@ -270,7 +270,7 @@ in {
      group = cfg.group;
      home = cfg.dataDir;
      # Allow access to the tor control socket, needed for payjoin onion service creation
-      extraGroups = [ "tor" ];
+      extraGroups = [ "tor" "bitcoin" ];
    };
    users.groups.${cfg.group} = {};
    nix-bitcoin.operator = {