From d9c87b6a8f5f2649a8502e494cc2bc34397bd174 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 1 Feb 2021 22:53:17 +0100 Subject: [PATCH] joinmarket: fix wallet creation - Fix jm-wallet-seed being globally readable. - Handle seed extraction failures. If seed extraction fails, remove the newly created wallet. This guarantees that wallets always have an accompanying seed. --- modules/joinmarket.nix | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index dc8d646..2b9606c 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -185,18 +185,19 @@ in { # Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet ExecStartPost = mkIf (bitcoind.network == "mainnet") (nbLib.privileged '' walletname=wallet.jmdat - pw=$(cat "${secretsDir}"/jm-wallet-password) - mnemonic=${secretsDir}/jm-wallet-seed - if [[ ! -f ${cfg.dataDir}/wallets/$walletname ]]; then - echo Create joinmarket wallet - # Use bash variables so commands don't proceed on previous failures - # (like with pipes) - cd ${cfg.dataDir} && \ - out=$(sudo -u ${cfg.user} \ - ${nbPkgs.joinmarket}/bin/jm-genwallet \ - --datadir=${cfg.dataDir} $walletname $pw) - recoveryseed=$(echo "$out" | grep 'recovery_seed') - echo "$recoveryseed" | cut -d ':' -f2 > $mnemonic + wallet=${cfg.dataDir}/wallets/$walletname + if [[ ! -f $wallet ]]; then + echo "Create wallet" + pw=$(cat "${secretsDir}"/jm-wallet-password) + cd ${cfg.dataDir} + if ! sudo -u ${cfg.user} ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \ + | grep 'recovery_seed' \ + | cut -d ':' -f2 \ + | (umask u=r,go=; cat > "${secretsDir}/jm-wallet-seed"); then + echo "wallet creation failed" + rm -f "$wallet" "${secretsDir}/jm-wallet-seed" + exit 1 + fi fi ''); ExecStart = "${nbPkgs.joinmarket}/bin/joinmarketd";