greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make RPC password a secret

Browse Source
This commit is contained in:
Jonas Nick 2018-11-28 22:58:36 +00:00
parent c4935008dc
commit 94258c505e
5 changed files with 22 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
load-secrets.nix
View File

@ -1,13 +0,0 @@
if builtins.pathExists ./secrets/secrets.nix then import ./secrets/secrets.nix else {
prophet-openvpn-config = "";
prophet-guest-openvpn-config = "";
centrallake-openvpn-config = "";
bower-openvpn-config = "";
unifi_password_ro = "";
alertmanager_smtp_pw = "";
alertmanager_pushover_user = "";
alertmanager_pushover_token = "";
mpd_pw = "";
mpd_icecast_pw = "";
github_token = "";
}

8
modules/bitcoind.nix
View File

@ -28,7 +28,6 @@ let
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
cmdlineOptions = concatMapStringsSep " " (arg: "'${arg}'") [ cmdlineOptions = concatMapStringsSep " " (arg: "'${arg}'") [
"-conf=${configFile}"
"-datadir=${cfg.dataDir}" "-datadir=${cfg.dataDir}"
"-pid=${pidFile}" "-pid=${pidFile}"
]; ];
@ -179,14 +178,16 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
systemd.services.bitcoind = { systemd.services.bitcoind = {
description = "Bitcoin daemon"; description = "Bitcoin daemon";
after = [ "network.target" ]; requires = [ "bitcoin-rpcpassword-key.service" ];
after = [ "network.target" "bitcoin-rpcpassword-key.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
if ! test -e ${cfg.dataDir}; then if ! test -e ${cfg.dataDir}; then
mkdir -m 0770 -p '${cfg.dataDir}' mkdir -m 0770 -p '${cfg.dataDir}'
chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}' chown '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
fi fi
ln -sf '${configFile}' '${cfg.dataDir}/bitcoin.conf' cp '${configFile}' '${cfg.dataDir}/bitcoin.conf'
echo "rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
''; '';
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
@ -212,6 +213,7 @@ in {
name = cfg.user; name = cfg.user;
#uid = config.ids.uids.bitcoin; #uid = config.ids.uids.bitcoin;
group = cfg.group; group = cfg.group;
extraGroups = [ "keys" ];
description = "Bitcoin daemon user"; description = "Bitcoin daemon user";
home = cfg.dataDir; home = cfg.dataDir;
}; };

15
modules/clightning.nix
View File

@ -9,7 +9,6 @@ let
autolisten=false autolisten=false
network=bitcoin network=bitcoin
bitcoin-rpcuser=${cfg.bitcoin-rpcuser} bitcoin-rpcuser=${cfg.bitcoin-rpcuser}
bitcoin-rpcpassword=${cfg.bitcoin-rpcpassword}
''; '';
in { in {
options.services.clightning = { options.services.clightning = {
@ -33,12 +32,6 @@ in {
Bitcoin RPC user Bitcoin RPC user
''; '';
}; };
bitcoin-rpcpassword = mkOption {
type = types.string;
description = ''
Bitcoin RPC password
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -46,17 +39,21 @@ in {
{ {
description = "clightning User"; description = "clightning User";
createHome = true; createHome = true;
extraGroups = [ "bitcoinrpc" "keys" ];
inherit home; inherit home;
}; };
systemd.services.clightning = systemd.services.clightning =
{ description = "Run clightningd"; { description = "Run clightningd";
path = [ pkgs.clightning pkgs.bitcoin ]; path = [ pkgs.bash pkgs.clightning pkgs.bitcoin ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ]; requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
preStart = '' preStart = ''
mkdir -p ${home}/.lightning mkdir -p ${home}/.lightning
ln -sf ${configFile} ${home}/.lightning/config rm -f ${home}/.lightning/config
cp ${configFile} ${home}/.lightning/config
chmod +w ${home}/.lightning/config
echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${home}/.lightning/config'
''; '';
serviceConfig = serviceConfig =
{ {

5
modules/nixbitcoin.nix
View File

@ -4,7 +4,6 @@ with lib;
let let
cfg = config.services.nixbitcoin; cfg = config.services.nixbitcoin;
secrets = import ../load-secrets.nix;
in { in {
imports = imports =
[ [
@ -24,6 +23,8 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.groups.bitcoinrpc = {};
# Tor # Tor
services.tor.enable = true; services.tor.enable = true;
services.tor.client.enable = true; services.tor.client.enable = true;
@ -40,7 +41,6 @@ in {
services.bitcoind.proxy = config.services.tor.client.socksListenAddress; services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.port = 8333; services.bitcoind.port = 8333;
services.bitcoind.rpcuser = "bitcoinrpc"; services.bitcoind.rpcuser = "bitcoinrpc";
services.bitcoind.rpcpassword = secrets.bitcoinrpcpassword;
services.bitcoind.extraConfig = '' services.bitcoind.extraConfig = ''
assumevalid=0000000000000000000726d186d6298b5054b9a5c49639752294b322a305d240 assumevalid=0000000000000000000726d186d6298b5054b9a5c49639752294b322a305d240
addnode=ecoc5q34tmbq54wl.onion addnode=ecoc5q34tmbq54wl.onion
@ -51,7 +51,6 @@ in {
# clightning # clightning
services.clightning.enable = true; services.clightning.enable = true;
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser; services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.bitcoin-rpcpassword = config.services.bitcoind.rpcpassword;
# nodeinfo # nodeinfo
systemd.services.nodeinfo = { systemd.services.nodeinfo = {

9
network-vbox.nix
View File

@ -1,3 +1,6 @@
let
secrets = import ./secrets/secrets.nix;
in
{ {
bitcoin-node = bitcoin-node =
{ config, pkgs, ... }: { config, pkgs, ... }:
@ -5,5 +8,11 @@
deployment.virtualbox.memorySize = 2048; # megabytes deployment.virtualbox.memorySize = 2048; # megabytes
deployment.virtualbox.vcpu = 2; # number of cpus deployment.virtualbox.vcpu = 2; # number of cpus
deployment.virtualbox.headless = true; deployment.virtualbox.headless = true;
deployment.keys.bitcoin-rpcpassword.text = secrets.bitcoinrpcpassword;
deployment.keys.bitcoin-rpcpassword.destDir = "/secrets/";
deployment.keys.bitcoin-rpcpassword.user = "bitcoin";
deployment.keys.bitcoin-rpcpassword.group = "bitcoinrpc";
deployment.keys.bitcoin-rpcpassword.permissions = "0440";
}; };
} }