Merge #325: bitcoind: enable cookie-based authentication

4e9059dc07 bitcoind: rename group bitcoinrpc -> bitcoinrpc-public (nixbitcoin)
19e401b028 bitcoind: enable cookie-based authentication (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 4e9059dc07

Tree-SHA512: 9795a0fe7fdd84bc3ae94b882b106f7169205e3196ecdfc6dad01c4f2d62380711b6504f221a90f21e8cc34cda2e12df05a245d5c54f9ed7846d74835cac5e19

modules/bitcoind.nix

@@ -327,8 +327,6 @@ in {
         cfg=$(
           cat ${configFile}
           ${extraRpcauth}
-          ${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
-          printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
           echo
           ${optionalString (cfg.getPublicAddressCmd != "") ''
             echo "externalip=$(${cfg.getPublicAddressCmd})"
@@ -339,6 +337,10 @@ in {
           install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
         fi
       '';
+      # Enable RPC access for group
+      postStart = ''
+        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      '';
       serviceConfig = nbLib.defaultHardening // {
         Type = "notify";
         NotifyAccess = "all";
@@ -382,13 +384,13 @@ in {
 
     users.users.${cfg.user}.group = cfg.group;
     users.groups.${cfg.group} = {};
-    users.groups.bitcoinrpc = {};
+    users.groups.bitcoinrpc-public = {};
     nix-bitcoin.operator.groups = [ cfg.group ];
 
     nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user;
     nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
       user = cfg.user;
-      group = "bitcoinrpc";
+      group = "bitcoinrpc-public";
     };
 
     nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user;

modules/btcpayserver.nix

@@ -212,7 +212,7 @@ in {
 
     users.users.${cfg.nbxplorer.user} = {
       group = cfg.nbxplorer.group;
-      extraGroups = [ "bitcoinrpc" ];
+      extraGroups = [ "bitcoinrpc-public" ];
       home = cfg.nbxplorer.dataDir;
     };
     users.groups.${cfg.nbxplorer.group} = {};

modules/clightning.nix

@@ -144,7 +144,7 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "bitcoinrpc" ];
+      extraGroups = [ "bitcoinrpc-public" ];
     };
     users.groups.${cfg.group} = {};
     nix-bitcoin.operator.groups = [ cfg.group ];

modules/electrs.nix

@@ -110,7 +110,7 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ];
+      extraGroups = [ "bitcoinrpc-public" ] ++ optionals cfg.high-memory [ bitcoind.user ];
     };
     users.groups.${cfg.group} = {};
   };

modules/liquid.nix

@@ -247,7 +247,7 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "bitcoinrpc" ];
+      extraGroups = [ "bitcoinrpc-public" ];
     };
     users.groups.${cfg.group} = {};
     nix-bitcoin.operator.groups = [ cfg.group ];

modules/lnd.nix

@@ -275,7 +275,7 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "bitcoinrpc" ];
+      extraGroups = [ "bitcoinrpc-public" ];
       home = cfg.dataDir; # lnd creates .lnd dir in HOME
     };
     users.groups.${cfg.group} = {};

test/tests.py

@@ -103,6 +103,10 @@ def _():
     assert_running("bitcoind")
     machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
     assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"')
+
+    regtest = "regtest/" if "regtest" in enabled_tests else ""
+    assert_full_match(f"stat  -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n")
+
     # RPC access for user 'public' should be restricted
     machine.fail(
         "bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"