From fee9dc8c175b7b6777c5813d9ff51d2e8d9726dc Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 31 Jul 2024 18:09:45 +0200
Subject: [PATCH 1/3] bitcoind-rpc-public-whitelist: add `getnodeaddresses`

`getnodeaddresses` returns addresses of peers the bitcoind instance
has seen over its lifetime. It's safe for public use.
---
 modules/bitcoind-rpc-public-whitelist.nix |  1 +
 modules/lnd.nix                           | 30 +++--------------------
 2 files changed, 5 insertions(+), 26 deletions(-)

diff --git a/modules/bitcoind-rpc-public-whitelist.nix b/modules/bitcoind-rpc-public-whitelist.nix
index 0d3d204..425b5e2 100644
--- a/modules/bitcoind-rpc-public-whitelist.nix
+++ b/modules/bitcoind-rpc-public-whitelist.nix
@@ -35,6 +35,7 @@
   "getnetworkhashps"
   # Network
   "getnetworkinfo"
+  "getnodeaddresses"
   "getpeerinfo"
   # Rawtransactions
   "analyzepsbt"
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 78dadb7..701bb90 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -174,7 +174,7 @@ let
     ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
 
     bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
-    bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
+    bitcoind.rpcuser=${bitcoind.rpc.users.public.name}
     bitcoind.zmqpubrawblock=${zmqHandleSpecialAddress bitcoind.zmqpubrawblock}
     bitcoind.zmqpubrawtx=${zmqHandleSpecialAddress bitcoind.zmqpubrawtx}
 
@@ -184,16 +184,11 @@ let
   '';
 
   zmqHandleSpecialAddress = builtins.replaceStrings [ "0.0.0.0" "[::]" ] [ "127.0.0.1" "[::1]" ];
-
-  isPruned = bitcoind.prune > 0;
-  # When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
-  # to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
-  rpcUser = if isPruned then "lnd" else "public";
 in {
 
   inherit options;
 
-  config = mkIf cfg.enable (mkMerge [ {
+  config = mkIf cfg.enable {
     assertions = [
       { assertion =
           !(config.services ? clightning)
@@ -233,7 +228,7 @@ in {
       preStart = ''
         install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
         {
-          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
+          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)"
           ${optionalString (cfg.getPublicAddressCmd != "") ''
             echo "externalip=$(${cfg.getPublicAddressCmd})"
           ''}
@@ -311,22 +306,5 @@ in {
       makePasswordSecret lnd-wallet-password
       makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
     '';
-  }
-
-  (mkIf isPruned {
-    services.bitcoind.rpc.users.lnd = {
-      passwordHMACFromFile = true;
-      rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
-        "getpeerinfo"
-        "getnodeaddresses"
-      ];
-    };
-    nix-bitcoin.secrets = {
-      bitcoin-rpcpassword-lnd.user = cfg.user;
-      bitcoin-HMAC-lnd.user = bitcoind.user;
-    };
-    nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
-      makeBitcoinRPCPassword lnd
-    '';
-  }) ]);
+  };
 }

From a04c15958ab0677436eb32beceffdaeda8e5ed66 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 31 Jul 2024 18:11:09 +0200
Subject: [PATCH 2/3] btcpayserver: remove redundant RPC entry from whitelist

`getpeerinfo` already exists in the public whitelist.
---
 modules/btcpayserver.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index d5a8cd4..727b822 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -117,7 +117,6 @@ in {
         rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
           "setban"
           "generatetoaddress"
-          "getpeerinfo"
         ];
       };
       listenWhitelisted = true;

From da625fc13d31e0c9213872656d1477ddd812f768 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 31 Jul 2024 18:11:58 +0200
Subject: [PATCH 3/3] bitcoind.rpc.users: improve example

Add RPC entries that don't exist in the public whitelist.
---
 modules/bitcoind.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 062915c..883618a 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -109,7 +109,7 @@ let
           example = {
             alice = {
               passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
-              rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
+              rpcwhitelist = [ "sendtoaddress" "getnewaddress" ];
             };
           };
           type = with types; attrsOf (submodule ({ name, ... }: {