From 19e401b0283e749e53261eedd5ce8ed604ad9ad5 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Wed, 17 Feb 2021 13:35:31 +0000 Subject: [PATCH 1/2] bitcoind: enable cookie-based authentication --- modules/bitcoind.nix | 6 ++++-- test/tests.py | 4 ++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 4340e7f..e834c65 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -327,8 +327,6 @@ in { cfg=$( cat ${configFile} ${extraRpcauth} - ${/* Enable bitcoin-cli for group 'bitcoin' */ ""} - printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged" echo ${optionalString (cfg.getPublicAddressCmd != "") '' echo "externalip=$(${cfg.getPublicAddressCmd})" @@ -339,6 +337,10 @@ in { install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile fi ''; + # Enable RPC access for group + postStart = '' + chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie' + ''; serviceConfig = nbLib.defaultHardening // { Type = "notify"; NotifyAccess = "all"; diff --git a/test/tests.py b/test/tests.py index 178706f..0eed546 100644 --- a/test/tests.py +++ b/test/tests.py @@ -103,6 +103,10 @@ def _(): assert_running("bitcoind") machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"') + + regtest = "regtest/" if "regtest" in enabled_tests else "" + assert_full_match(f"stat -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n") + # RPC access for user 'public' should be restricted machine.fail( "bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop" From 4e9059dc072f09e3d44c0f2a7a841981062c1f72 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Thu, 18 Feb 2021 10:42:21 +0000 Subject: [PATCH 2/2] bitcoind: rename group bitcoinrpc -> bitcoinrpc-public This makes it clear that services with this group can only use public RPC calls. --- modules/bitcoind.nix | 4 ++-- modules/btcpayserver.nix | 2 +- modules/clightning.nix | 2 +- modules/electrs.nix | 2 +- modules/liquid.nix | 2 +- modules/lnd.nix | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index e834c65..f5fce4d 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -384,13 +384,13 @@ in { users.users.${cfg.user}.group = cfg.group; users.groups.${cfg.group} = {}; - users.groups.bitcoinrpc = {}; + users.groups.bitcoinrpc-public = {}; nix-bitcoin.operator.groups = [ cfg.group ]; nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = cfg.user; nix-bitcoin.secrets.bitcoin-rpcpassword-public = { user = cfg.user; - group = "bitcoinrpc"; + group = "bitcoinrpc-public"; }; nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = cfg.user; diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index a425777..d529883 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -212,7 +212,7 @@ in { users.users.${cfg.nbxplorer.user} = { group = cfg.nbxplorer.group; - extraGroups = [ "bitcoinrpc" ]; + extraGroups = [ "bitcoinrpc-public" ]; home = cfg.nbxplorer.dataDir; }; users.groups.${cfg.nbxplorer.group} = {}; diff --git a/modules/clightning.nix b/modules/clightning.nix index 69c53aa..6015b5a 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -144,7 +144,7 @@ in { users.users.${cfg.user} = { group = cfg.group; - extraGroups = [ "bitcoinrpc" ]; + extraGroups = [ "bitcoinrpc-public" ]; }; users.groups.${cfg.group} = {}; nix-bitcoin.operator.groups = [ cfg.group ]; diff --git a/modules/electrs.nix b/modules/electrs.nix index 7c7956a..2828db4 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -110,7 +110,7 @@ in { users.users.${cfg.user} = { group = cfg.group; - extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ bitcoind.user ]; + extraGroups = [ "bitcoinrpc-public" ] ++ optionals cfg.high-memory [ bitcoind.user ]; }; users.groups.${cfg.group} = {}; }; diff --git a/modules/liquid.nix b/modules/liquid.nix index de4931d..2c6e2f9 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -247,7 +247,7 @@ in { users.users.${cfg.user} = { group = cfg.group; - extraGroups = [ "bitcoinrpc" ]; + extraGroups = [ "bitcoinrpc-public" ]; }; users.groups.${cfg.group} = {}; nix-bitcoin.operator.groups = [ cfg.group ]; diff --git a/modules/lnd.nix b/modules/lnd.nix index ec8f33d..aa6aada 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -275,7 +275,7 @@ in { users.users.${cfg.user} = { group = cfg.group; - extraGroups = [ "bitcoinrpc" ]; + extraGroups = [ "bitcoinrpc-public" ]; home = cfg.dataDir; # lnd creates .lnd dir in HOME }; users.groups.${cfg.group} = {};