add option 'dataDirReadableByGroup'

These settings are now more accessible for users that don't use
nix-bitcoin's default node config.
Additionally, remove 'other' permissions via umask.
This commit is contained in:
Erik Arvstedt 2020-04-07 23:05:10 +02:00
parent 3e188238d0
commit 4dc6c3ba5d
No known key found for this signature in database
GPG key ID: 33312B944DD97846
3 changed files with 24 additions and 3 deletions

View file

@ -149,6 +149,14 @@ in {
If enabled, the bitcoin service will listen.
'';
};
dataDirReadableByGroup = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, data dir content is readable by the bitcoind service group.
Warning: This disables bitcoind's wallet support.
'';
};
sysperms = mkOption {
type = types.nullOr types.bool;
default = null;
@ -241,6 +249,12 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
services.bitcoind = mkIf cfg.dataDirReadableByGroup {
disablewallet = true;
sysperms = true;
};
systemd.services.bitcoind = {
description = "Bitcoin daemon";
requires = [ "nix-bitcoin-secrets.target" ];
@ -273,6 +287,7 @@ in {
Group = "${cfg.group}";
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
# Permission for preStart
PermissionsStartOnly = "true";