bitcoind, liquidd: add whitelisted socket

This allows whitelisting local services without implicitly whitelisting all inbound onion connections, which would happen when setting bitcoind/liquidd option `whitelist=localhost`. Used by electrs and nbxplorer, which requires the unsafe `mempool` permission.
2021-10-29 17:56:57 +02:00 · 2021-10-29 17:56:57 +02:00 · 1da23cd933
commit 1da23cd933
parent 8c3a88b2e8
4 changed files with 54 additions and 27 deletions
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -58,9 +58,7 @@ in {

    services.bitcoind = {
      enable = true;
-      # Enable p2p connections
-      listen = true;
-      extraConfig = "whitelist=download@${nbLib.address cfg.address}";
+      listenWhitelisted = true;
    };

    systemd.tmpfiles.rules = [
@ -88,7 +86,7 @@ in {
          --electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
          --monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
          --daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
-          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \
+          --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
          ${cfg.extraArgs}
        '';
        User = cfg.user;