greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #153: Improve bitcoind

Browse Source 
4dc6c3ba5d627d40a9eb2bd5b408fe0c87f56c9d add option 'dataDirReadableByGroup' (Erik Arvstedt)
3e188238d08ce0090b2affa150f25210c42b219e only update bitcoin.conf when changed (Erik Arvstedt)
08322eed9be055a2999d93ee5af77f0227465df3 use [[ test (Erik Arvstedt)
201fc3378297e1451f9d344f574abb570a137841 move line to relevant code section (blocks dir setup) (Erik Arvstedt)
1f8fe310d065fc744a455d205af9f9a9c9109d97 remove option 'configFileOption' (Erik Arvstedt)
4e5c1d7551796136ef6d341e99302320f20734e4 disable redundant logfile (Erik Arvstedt)
a05551fd1c5af487d0562225b6e4da1903228fbb improve config file formatting (Erik Arvstedt)
5e81d60d63d017d7d3f71b961d0703ddb093f672 improve formatting (Erik Arvstedt)
d60a5aa4db891cd26e85f7a268af8022ea64a0fe define rpc.users submodule inline (Erik Arvstedt)
1a2271fb14c34a90b395d41e17a3e15875e84a36 remove unused variable 'hexStr' (Erik Arvstedt)
4e92b1c818a1d04149dccb61e615c6c5ea022dcb remove redundant hardening options (Erik Arvstedt)
47fd6cd0f3e4cc65f1d73e6e3022f14deb574c4f simplify ExecStart (Erik Arvstedt)
64fc63cc40f1b673651170e837356ab70d1930de remove pidFile (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 4dc6c3ba5d627d40a9eb2bd5b408fe0c87f56c9d
  jonasnick:
    ACK 4dc6c3ba5d627d40a9eb2bd5b408fe0c87f56c9d

Tree-SHA512: 370dcabe89cc99480a3f272a5819607bce5e454b3000a95ff5b4a3b04819d0d8341385c2bbf0de361f061a43460bf87be10d2321a0525f19e121b28ede8f722e
This commit is contained in:
Jonas Nick 2020-04-18 18:57:30 +00:00
commit e97b132a37
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
3 changed files with 63 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
modules/bitcoind.nix
View File

@ -5,8 +5,11 @@ with lib;
let
cfg = config.services.bitcoind;
inherit (config) nix-bitcoin-services;
pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" ''
# We're already logging via journald
nodebuglogfile=1
${optionalString cfg.testnet "testnet=1"}
${optionalString (cfg.dbCache != null) "dbcache=${toString cfg.dbCache}"}
${optionalString (cfg.prune != null) "prune=${toString cfg.prune}"}
@ -14,7 +17,6 @@ let
${optionalString (cfg.disablewallet != null) "disablewallet=${if cfg.disablewallet then "1" else "0"}"}
${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
# Connection options
${optionalString (cfg.port != null) "port=${toString cfg.port}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
@ -22,7 +24,6 @@ let
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
# RPC server options
rpcport=${toString cfg.rpc.port}
${concatMapStringsSep "\n"
@ -39,42 +40,13 @@ let
${optionalString (cfg.zmqpubrawblock != null) "zmqpubrawblock=${cfg.zmqpubrawblock}"}
${optionalString (cfg.zmqpubrawtx != null) "zmqpubrawtx=${cfg.zmqpubrawtx}"}
# Extra config options (from bitcoind nixos service)
# Extra options
${cfg.extraConfig}
'';
cmdlineOptions = concatMapStringsSep " " (arg: "'${arg}'") [
"-datadir=${cfg.dataDir}"
"-pid=${pidFile}"
];
hexStr = types.strMatching "[0-9a-f]+";
rpcUserOpts = { name, ... }: {
options = {
name = mkOption {
type = types.str;
example = "alice";
description = ''
Username for JSON-RPC connections.
'';
};
passwordHMAC = mkOption {
type = with types; uniq (strMatching "[0-9a-f]+\\$[0-9a-f]{64}");
example = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
description = ''
Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the
format <SALT-HEX>$<HMAC-HEX>.
'';
};
};
config = {
name = mkDefault name;
};
};
in {
options = {
services.bitcoind = {
enable = mkEnableOption "Bitcoin daemon";
package = mkOption {
type = types.package;
default = pkgs.nix-bitcoin.bitcoind;
@ -88,7 +60,6 @@ in {
par=16
rpcthreads=16
logips=1
'';
description = "Additional configurations to be appended to <filename>bitcoin.conf</filename>.";
};
@ -97,12 +68,6 @@ in {
default = "/var/lib/bitcoind";
description = "The data directory for bitcoind.";
};
configFileOption = mkOption {
type = types.path;
default = configFile;
description = "The data directory for bitcoind.";
};
user = mkOption {
type = types.str;
default = "bitcoin";
@ -113,7 +78,6 @@ in {
default = cfg.user;
description = "The group as which to run bitcoind.";
};
rpc = {
port = mkOption {
type = types.ints.u16;
@ -126,13 +90,33 @@ in {
alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
};
type = with types; loaOf (submodule rpcUserOpts);
type = with types; loaOf (submodule ({ name, ... }: {
options = {
name = mkOption {
type = types.str;
example = "alice";
description = ''
Username for JSON-RPC connections.
'';
};
passwordHMAC = mkOption {
type = with types; uniq (strMatching "[0-9a-f]+\\$[0-9a-f]{64}");
example = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
description = ''
Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the
format <SALT-HEX>$<HMAC-HEX>.
'';
};
};
config = {
name = mkDefault name;
};
}));
description = ''
RPC user information for JSON-RPC connnections.
'';
};
};
rpcuser = mkOption {
type = types.nullOr types.str;
default = "bitcoinrpc";
@ -143,7 +127,6 @@ in {
default = null;
description = "Password for JSON-RPC connections";
};
testnet = mkOption {
type = types.bool;
default = false;
@ -166,18 +149,27 @@ in {
If enabled, the bitcoin service will listen.
'';
};
dataDirReadableByGroup = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, data dir content is readable by the bitcoind service group.
Warning: This disables bitcoind's wallet support.
'';
};
sysperms = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Create new files with system default permissions, instead of umask 077 (only effective with disabled wallet functionality)
Create new files with system default permissions, instead of umask 077
(only effective with disabled wallet functionality)
'';
};
disablewallet = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Do not load the wallet and disable wallet RPC calls
Do not load the wallet and disable wallet RPC calls
'';
};
dbCache = mkOption {
@ -257,23 +249,32 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
services.bitcoind = mkIf cfg.dataDirReadableByGroup {
disablewallet = true;
sysperms = true;
};
systemd.services.bitcoind = {
description = "Bitcoin daemon";
requires = [ "nix-bitcoin-secrets.target" ];
after = [ "network.target" "nix-bitcoin-secrets.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
if ! test -e ${cfg.dataDir}; then
if [[ ! -e ${cfg.dataDir} ]]; then
mkdir -m 0770 -p '${cfg.dataDir}'
fi
if ! test -e ${cfg.dataDir}/blocks; then
if [[ ! -e ${cfg.dataDir}/blocks ]]; then
mkdir -m 0770 -p '${cfg.dataDir}/blocks'
fi
cp '${cfg.configFileOption}' '${cfg.dataDir}/bitcoin.conf'
chmod o-rw '${cfg.dataDir}/bitcoin.conf'
chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
echo "rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/bitcoin.conf'
chmod -R g+rX '${cfg.dataDir}/blocks'
cfg=$(cat ${configFile}; printf "rpcpassword="; cat "${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword")
confFile='${cfg.dataDir}/bitcoin.conf'
if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
fi
'';
# Wait until RPC port is open. This usually takes just a few ms.
postStart = ''
@ -282,19 +283,11 @@ in {
done
'';
serviceConfig = {
Type = "simple";
User = "${cfg.user}";
Group = "${cfg.group}";
ExecStart = "${cfg.package}/bin/bitcoind ${cmdlineOptions}";
PIDFile = "${pidFile}";
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
# Permission for preStart
PermissionsStartOnly = "true";

9
modules/electrs.nix
View File

@ -81,7 +81,14 @@ in {
PermissionsStartOnly = "true";
ExecStart = ''
${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \
${optionalString (!cfg.high-memory) "--jsonrpc-import --index-batch-size=10"} \
${if cfg.high-memory then
traceIf (!config.services.bitcoind.dataDirReadableByGroup) ''
Warning: For optimal electrs syncing performance, enable services.bitcoind.dataDirReadableByGroup.
Note that this disables wallet support in bitcoind.
'' ""
else
"--jsonrpc-import --index-batch-size=10"
} \
--db-dir '${cfg.dataDir}' --daemon-dir '${config.services.bitcoind.dataDir}' \
--electrum-rpc-addr=${toString cfg.address}:${toString cfg.port} ${cfg.extraArgs}
'';

3
modules/presets/secure-node.nix
View File

@ -46,8 +46,7 @@ in {
services.bitcoind = {
enable = true;
listen = true;
sysperms = if cfg.electrs.enable then true else null;
disablewallet = if cfg.electrs.enable then true else null;
dataDirReadableByGroup = mkIf cfg.electrs.enable true;
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true;
port = 8333;