From 94258c505e774de5b1d45b672feeaeb60c16cbb0 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Wed, 28 Nov 2018 22:58:36 +0000 Subject: [PATCH] Make RPC password a secret --- load-secrets.nix | 13 ------------- modules/bitcoind.nix | 8 +++++--- modules/clightning.nix | 15 ++++++--------- modules/nixbitcoin.nix | 5 ++--- network-vbox.nix | 9 +++++++++ 5 files changed, 22 insertions(+), 28 deletions(-) delete mode 100644 load-secrets.nix diff --git a/load-secrets.nix b/load-secrets.nix deleted file mode 100644 index 8fe236f..0000000 --- a/load-secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -if builtins.pathExists ./secrets/secrets.nix then import ./secrets/secrets.nix else { - prophet-openvpn-config = ""; - prophet-guest-openvpn-config = ""; - centrallake-openvpn-config = ""; - bower-openvpn-config = ""; - unifi_password_ro = ""; - alertmanager_smtp_pw = ""; - alertmanager_pushover_user = ""; - alertmanager_pushover_token = ""; - mpd_pw = ""; - mpd_icecast_pw = ""; - github_token = ""; -} diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index ad199e6..8e30664 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -28,7 +28,6 @@ let ${cfg.extraConfig} ''; cmdlineOptions = concatMapStringsSep " " (arg: "'${arg}'") [ - "-conf=${configFile}" "-datadir=${cfg.dataDir}" "-pid=${pidFile}" ]; @@ -179,14 +178,16 @@ in { environment.systemPackages = [ cfg.package ]; systemd.services.bitcoind = { description = "Bitcoin daemon"; - after = [ "network.target" ]; + requires = [ "bitcoin-rpcpassword-key.service" ]; + after = [ "network.target" "bitcoin-rpcpassword-key.service" ]; wantedBy = [ "multi-user.target" ]; preStart = '' if ! test -e ${cfg.dataDir}; then mkdir -m 0770 -p '${cfg.dataDir}' chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}' fi - ln -sf '${configFile}' '${cfg.dataDir}/bitcoin.conf' + cp '${configFile}' '${cfg.dataDir}/bitcoin.conf' + echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf' ''; serviceConfig = { Type = "simple"; @@ -212,6 +213,7 @@ in { name = cfg.user; #uid = config.ids.uids.bitcoin; group = cfg.group; + extraGroups = [ "keys" ]; description = "Bitcoin daemon user"; home = cfg.dataDir; }; diff --git a/modules/clightning.nix b/modules/clightning.nix index ad62bbb..a8cbb4c 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -9,7 +9,6 @@ let autolisten=false network=bitcoin bitcoin-rpcuser=${cfg.bitcoin-rpcuser} - bitcoin-rpcpassword=${cfg.bitcoin-rpcpassword} ''; in { options.services.clightning = { @@ -33,12 +32,6 @@ in { Bitcoin RPC user ''; }; - bitcoin-rpcpassword = mkOption { - type = types.string; - description = '' - Bitcoin RPC password - ''; - }; }; config = mkIf cfg.enable { @@ -46,17 +39,21 @@ in { { description = "clightning User"; createHome = true; + extraGroups = [ "bitcoinrpc" "keys" ]; inherit home; }; systemd.services.clightning = { description = "Run clightningd"; - path = [ pkgs.clightning pkgs.bitcoin ]; + path = [ pkgs.bash pkgs.clightning pkgs.bitcoin ]; wantedBy = [ "multi-user.target" ]; requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' mkdir -p ${home}/.lightning - ln -sf ${configFile} ${home}/.lightning/config + rm -f ${home}/.lightning/config + cp ${configFile} ${home}/.lightning/config + chmod +w ${home}/.lightning/config + echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${home}/.lightning/config' ''; serviceConfig = { diff --git a/modules/nixbitcoin.nix b/modules/nixbitcoin.nix index 3aebadf..a5ef907 100644 --- a/modules/nixbitcoin.nix +++ b/modules/nixbitcoin.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.nixbitcoin; - secrets = import ../load-secrets.nix; in { imports = [ @@ -24,6 +23,8 @@ in { }; config = mkIf cfg.enable { + users.groups.bitcoinrpc = {}; + # Tor services.tor.enable = true; services.tor.client.enable = true; @@ -40,7 +41,6 @@ in { services.bitcoind.proxy = config.services.tor.client.socksListenAddress; services.bitcoind.port = 8333; services.bitcoind.rpcuser = "bitcoinrpc"; - services.bitcoind.rpcpassword = secrets.bitcoinrpcpassword; services.bitcoind.extraConfig = '' assumevalid=0000000000000000000726d186d6298b5054b9a5c49639752294b322a305d240 addnode=ecoc5q34tmbq54wl.onion @@ -51,7 +51,6 @@ in { # clightning services.clightning.enable = true; services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser; - services.clightning.bitcoin-rpcpassword = config.services.bitcoind.rpcpassword; # nodeinfo systemd.services.nodeinfo = { diff --git a/network-vbox.nix b/network-vbox.nix index 262d70b..ba1b5fb 100644 --- a/network-vbox.nix +++ b/network-vbox.nix @@ -1,3 +1,6 @@ +let + secrets = import ./secrets/secrets.nix; +in { bitcoin-node = { config, pkgs, ... }: @@ -5,5 +8,11 @@ deployment.virtualbox.memorySize = 2048; # megabytes deployment.virtualbox.vcpu = 2; # number of cpus deployment.virtualbox.headless = true; + + deployment.keys.bitcoin-rpcpassword.text = secrets.bitcoinrpcpassword; + deployment.keys.bitcoin-rpcpassword.destDir = "/secrets/"; + deployment.keys.bitcoin-rpcpassword.user = "bitcoin"; + deployment.keys.bitcoin-rpcpassword.group = "bitcoinrpc"; + deployment.keys.bitcoin-rpcpassword.permissions = "0440"; }; }