Merge fort-nix/nix-bitcoin#723: bitcoind-rpc-public-whitelist: Add getnodeaddresses

da625fc13d bitcoind.rpc.users: improve example (Erik Arvstedt) a04c15958a btcpayserver: remove redundant RPC entry from whitelist (Erik Arvstedt) fee9dc8c17 bitcoind-rpc-public-whitelist: add `getnodeaddresses` (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK da625fc13d Tree-SHA512: a0e2394d3b5af13b06a6b6e8ecb6a228b4b2bf5b56b063c2029025cafb337de1d8431ec28ea4343f48b1e3534136080d00b450558c9e772afeee371b9ea70419
2024-11-22 22:33:46 +03:00 · 2024-08-02 15:06:51 +00:00 · 2024-08-02 15:06:51 +00:00 · ac5c280a6a
commit ac5c280a6a
parent 7dad87527f da625fc13d
4 changed files with 6 additions and 28 deletions
--- a/modules/bitcoind-rpc-public-whitelist.nix
+++ b/modules/bitcoind-rpc-public-whitelist.nix
@ -35,6 +35,7 @@
  "getnetworkhashps"
  # Network
  "getnetworkinfo"
  "getnodeaddresses"
  "getpeerinfo"
  # Rawtransactions
  "analyzepsbt"
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -109,7 +109,7 @@ let
          example = {
            alice = {
              passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
-              rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
+              rpcwhitelist = [ "sendtoaddress" "getnewaddress" ];
            };
          };
          type = with types; attrsOf (submodule ({ name, ... }: {
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -117,7 +117,6 @@ in {
        rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
          "setban"
          "generatetoaddress"
          "getpeerinfo"
        ];
      };
      listenWhitelisted = true;
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -174,7 +174,7 @@ let
    ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
    bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
-    bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
+    bitcoind.rpcuser=${bitcoind.rpc.users.public.name}
    bitcoind.zmqpubrawblock=${zmqHandleSpecialAddress bitcoind.zmqpubrawblock}
    bitcoind.zmqpubrawtx=${zmqHandleSpecialAddress bitcoind.zmqpubrawtx}
@ -184,16 +184,11 @@ let
  '';
  zmqHandleSpecialAddress = builtins.replaceStrings [ "0.0.0.0" "[::]" ] [ "127.0.0.1" "[::1]" ];
  isPruned = bitcoind.prune > 0;
  # When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
  # to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
  rpcUser = if isPruned then "lnd" else "public";
 in {
  inherit options;
-  config = mkIf cfg.enable (mkMerge [ {
+  config = mkIf cfg.enable {
    assertions = [
      { assertion =
          !(config.services ? clightning)
@ -233,7 +228,7 @@ in {
      preStart = ''
        install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
        {
-          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
+          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)"
          ${optionalString (cfg.getPublicAddressCmd != "") ''
            echo "externalip=$(${cfg.getPublicAddressCmd})"
          ''}
@ -311,22 +306,5 @@ in {
      makePasswordSecret lnd-wallet-password
      makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
    '';
-  }
+  };
  (mkIf isPruned {
    services.bitcoind.rpc.users.lnd = {
      passwordHMACFromFile = true;
      rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
        "getpeerinfo"
        "getnodeaddresses"
      ];
    };
    nix-bitcoin.secrets = {
      bitcoin-rpcpassword-lnd.user = cfg.user;
      bitcoin-HMAC-lnd.user = bitcoind.user;
    };
    nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
      makeBitcoinRPCPassword lnd
    '';
  }) ]);
 }