bitcoind: switch from rpcpassword to rpcauth

Includes bitcoind's `share/rpcauth` to convert apg generated passwords into salted HMAC-SHA-256 hashed passwords.
2020-06-22 12:10:54 +00:00 · 2020-06-22 12:10:54 +00:00 · 5a978a2836
commit 5a978a2836
parent 272b8568e7
9 changed files with 84 additions and 24 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -5,6 +5,7 @@ with lib;
 let
  cfg = config.services.bitcoind;
  inherit (config) nix-bitcoin-services;
+  secretsDir = config.nix-bitcoin.secretsDir;

  configFile = pkgs.writeText "bitcoin.conf" ''
    # We're already logging via journald
@ -33,8 +34,8 @@ let
    }
    ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
-    ${optionalString (cfg.rpcuser != null) "rpcuser=${cfg.rpcuser}"}
-    ${optionalString (cfg.rpcpassword != null) "rpcpassword=${cfg.rpcpassword}"}
+    # Credentials for bitcoin-cli
+    rpcuser=${cfg.rpc.users.privileged.name}

    # Wallet options
    ${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
@ -110,7 +111,7 @@ in {
                '';
              };
              passwordHMAC = mkOption {
-                type = with types; uniq (strMatching "[0-9a-f]+\\$[0-9a-f]{64}");
+                type = types.str;
                example = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
                description = ''
                  Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the
@ -141,16 +142,6 @@ in {
          Allow JSON-RPC connections from specified source.
        '';
      };
-      rpcuser = mkOption {
-          type = types.nullOr types.str;
-          default = "bitcoinrpc";
-          description = "Username for JSON-RPC connections";
-      };
-      rpcpassword = mkOption {
-          type = types.nullOr types.str;
-          default = null;
-          description = "Password for JSON-RPC connections";
-      };
      testnet = mkOption {
        type = types.bool;
        default = false;
@ -297,7 +288,10 @@ in {
      preStart = ''
        ${optionalString cfg.dataDirReadableByGroup  "chmod -R g+rX '${cfg.dataDir}/blocks'"}

-        cfg=$(cat ${configFile}; printf "rpcpassword="; cat "${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword")
+        cfgpre=$(cat ${configFile}; printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged")
+        cfg=$(echo "$cfgpre" | \
+        sed "s/bitcoin-HMAC-privileged/$(cat ${secretsDir}/bitcoin-HMAC-privileged)/g" | \
+        sed "s/bitcoin-HMAC-public/$(cat ${secretsDir}/bitcoin-HMAC-public)/g")
        confFile='${cfg.dataDir}/bitcoin.conf'
        if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
          install -o '${cfg.user}' -g '${cfg.group}' -m 640  <(echo "$cfg") $confFile
@ -355,9 +349,13 @@ in {
    users.groups.${cfg.group} = {};
    users.groups.bitcoinrpc = {};

-    nix-bitcoin.secrets.bitcoin-rpcpassword = {
+    nix-bitcoin.secrets.bitcoin-rpcpassword-privileged.user = "bitcoin";
+    nix-bitcoin.secrets.bitcoin-rpcpassword-public = {
      user = "bitcoin";
      group = "bitcoinrpc";
    };
+
+    nix-bitcoin.secrets.bitcoin-HMAC-privileged.user = "bitcoin";
+    nix-bitcoin.secrets.bitcoin-HMAC-public.user = "bitcoin";
  };
 }
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -13,7 +13,7 @@ let
    always-use-proxy=${if cfg.always-use-proxy then "true" else "false"}
    ${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"}
    ${optionalString (cfg.bitcoin-rpcconnect != null) "bitcoin-rpcconnect=${cfg.bitcoin-rpcconnect}"}
-    bitcoin-rpcuser=${config.services.bitcoind.rpcuser}
+    bitcoin-rpcuser=${config.services.bitcoind.rpc.users.public.name}
    rpc-file-mode=0660
  '';
 in {
@ -112,7 +112,7 @@ in {
        # The RPC socket has to be removed otherwise we might have stale sockets
        rm -f ${cfg.dataDir}/bitcoin/lightning-rpc
        chmod 600 ${cfg.dataDir}/config
-        echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
+        echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/config'
        ${optionalString cfg.announce-tor "echo announce-addr=$(cat /var/lib/onion-chef/clightning/clightning) >> '${cfg.dataDir}/config'"}
        '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -74,7 +74,7 @@ in {
      requires = [ "bitcoind.service" ];
      after = [ "bitcoind.service" ];
      preStart = ''
-        echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
+        echo "cookie = \"${config.services.bitcoind.rpc.users.public.name}:$(cat ${secretsDir}/bitcoin-rpcpassword-public)\"" \
          > electrs.toml
        '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -246,7 +246,7 @@ in {
        chmod 640  '${cfg.dataDir}/elements.conf'
        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
        echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
-        echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
+        echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/elements.conf'
      '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
        Type = "simple";
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -25,7 +25,7 @@ let
    ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}

    bitcoind.rpchost=${cfg.bitcoind-host}
-    bitcoind.rpcuser=${config.services.bitcoind.rpcuser}
+    bitcoind.rpcuser=${config.services.bitcoind.rpc.users.public.name}
    bitcoind.zmqpubrawblock=${config.services.bitcoind.zmqpubrawblock}
    bitcoind.zmqpubrawtx=${config.services.bitcoind.zmqpubrawtx}

@ -145,7 +145,7 @@ in {
      after = [ "bitcoind.service" ] ++ onion-chef-service;
      preStart = ''
        install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
-        echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
+        echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" >> '${cfg.dataDir}/lnd.conf'
        ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
      '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -73,6 +73,16 @@ in {
      discover = false;
      addresstype = "bech32";
      dbCache = 1000;
+      rpc.users.privileged = {
+        name = "bitcoinrpc";
+        # Placeholder to be sed'd out by bitcoind preStart
+        passwordHMAC = "bitcoin-HMAC-privileged";
+      };
+      rpc.users.public = {
+        name = "publicrpc";
+        # Placeholder to be sed'd out by bitcoind preStart
+        passwordHMAC = "bitcoin-HMAC-public";
+      };
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };

@ -96,7 +106,7 @@ in {
      rpcuser = "liquidrpc";
      prune = 1000;
      extraConfig = ''
-        mainchainrpcuser=${cfg.bitcoind.rpcuser}
+        mainchainrpcuser=${config.services.bitcoind.rpc.users.public.name}
        mainchainrpcport=8332
      '';
      validatepegin = true;