mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-22 22:33:46 +03:00
bitcoind: enable cookie-based authentication
This commit is contained in:
parent
bcad047757
commit
19e401b028
@ -327,8 +327,6 @@ in {
|
||||
cfg=$(
|
||||
cat ${configFile}
|
||||
${extraRpcauth}
|
||||
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
|
||||
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
|
||||
echo
|
||||
${optionalString (cfg.getPublicAddressCmd != "") ''
|
||||
echo "externalip=$(${cfg.getPublicAddressCmd})"
|
||||
@ -339,6 +337,10 @@ in {
|
||||
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
||||
fi
|
||||
'';
|
||||
# Enable RPC access for group
|
||||
postStart = ''
|
||||
chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
|
||||
'';
|
||||
serviceConfig = nbLib.defaultHardening // {
|
||||
Type = "notify";
|
||||
NotifyAccess = "all";
|
||||
|
@ -103,6 +103,10 @@ def _():
|
||||
assert_running("bitcoind")
|
||||
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
||||
assert_matches("runuser -u operator -- bitcoin-cli getnetworkinfo | jq", '"version"')
|
||||
|
||||
regtest = "regtest/" if "regtest" in enabled_tests else ""
|
||||
assert_full_match(f"stat -c '%a' /var/lib/bitcoind/{regtest}.cookie", "640\n")
|
||||
|
||||
# RPC access for user 'public' should be restricted
|
||||
machine.fail(
|
||||
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"
|
||||
|
Loading…
Reference in New Issue
Block a user