diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 29d5f30..6e785ad 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -30,12 +30,11 @@ let ${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"} rpcport=${toString cfg.rpc.port} rpcwhitelistdefault=0 - ${concatMapStringsSep "\n" - (rpcUser: '' - rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC} - ${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"} - '') - (attrValues cfg.rpc.users) + ${concatMapStrings (user: '' + ${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"} + ${optionalString (user.rpcwhitelist != []) + "rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"} + '') (builtins.attrValues cfg.rpc.users) } ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip} @@ -123,6 +122,11 @@ in { format $. ''; }; + passwordHMACFromFile = mkOption { + type = lib.types.bool; + internal = true; + default = false; + }; rpcwhitelist = mkOption { type = types.listOf types.str; default = []; @@ -296,13 +300,20 @@ in { requires = [ "nix-bitcoin-secrets.target" ]; after = [ "network.target" "nix-bitcoin-secrets.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' + preStart = let + extraRpcauth = concatMapStrings (name: let + user = cfg.rpc.users.${name}; + in optionalString user.passwordHMACFromFile '' + echo "rpcauth=${user.name}:$(cat ${secretsDir}/bitcoin-HMAC-${name})" + '' + ) (builtins.attrNames cfg.rpc.users); + in '' ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"} - - cfgpre=$(cat ${configFile}; printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged") - cfg=$(echo "$cfgpre" | \ - sed "s/bitcoin-HMAC-privileged/$(cat ${secretsDir}/bitcoin-HMAC-privileged)/g" | \ - sed "s/bitcoin-HMAC-public/$(cat ${secretsDir}/bitcoin-HMAC-public)/g") + cfg=$( + cat ${configFile}; + ${extraRpcauth} + printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"; + ) confFile='${cfg.dataDir}/bitcoin.conf' if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index d49307f..8194b3e 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -77,13 +77,11 @@ in { rpcthreads = 16; rpc.users.privileged = { name = "bitcoinrpc"; - # Placeholder to be sed'd out by bitcoind preStart - passwordHMAC = "bitcoin-HMAC-privileged"; + passwordHMACFromFile = true; }; rpc.users.public = { name = "publicrpc"; - # Placeholder to be sed'd out by bitcoind preStart - passwordHMAC = "bitcoin-HMAC-public"; + passwordHMACFromFile = true; rpcwhitelist = [ "echo" "getinfo"