commit ceae2987a1da0255a187e57cfee61b612dd522a7
parent 1625c91c87dd12ca1943207f2219c7755e9a572e
Author: Antoine A <>
Date: Tue, 29 Jul 2025 19:24:00 +0200
bitcoin: fix dep and improve config & services
Diffstat:
14 files changed, 101 insertions(+), 45 deletions(-)
diff --git a/contrib/depolymerizer-bitcoin-dbconfig b/contrib/depolymerizer-bitcoin-dbconfig
@@ -133,28 +133,24 @@ fi
# Set permission for group user
if [ 0 = "$SKIP_INIT" ] || [ 1 = "$FORCE_PERMS" ]; then
- # Create DB group matching OS group name
- echo "Setting up database group '$DBGROUP'." 1>&2
- if ! sudo -i -u postgres createuser "$DBGROUP" 2>/dev/null; then
- echo "Database group '$DBGROUP' already existed. Continuing anyway." 1>&2
- fi
- if ! echo "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"$DBGROUP\"" |
- sudo -i -u postgres psql "$DBNAME"; then
- exit_fail "Failed to grant access to '$DBGROUP'."
- fi
-
# Update group users rights
DB_GRP="$(getent group "$DBGROUP" | sed -e "s/.*://g" -e "s/,/ /g")"
echo "Initializing permissions for '$DB_GRP' users." 1>&2
for GROUPIE in $DB_GRP; do
- if [ "$GROUPIE" != "$DBUSER" ]; then
- if ! sudo -i -u postgres createuser "$GROUPIE" 2>/dev/null; then
- echo "Database user '$GROUPIE' already existed. Continuing anyway." 1>&2
- fi
+ if ! sudo -i -u postgres createuser "$GROUPIE" 2>/dev/null; then
+ echo "Database user '$GROUPIE' already existed. Continuing anyway." 1>&2
+ fi
+ if ! echo "GRANT ALL PRIVILEGES ON DATABASE \"$DBNAME\" TO \"$GROUPIE\"" |
+ sudo -i -u postgres psql "$DBNAME"; then
+ exit_fail "Failed to grant access to database '$DBNAME' to '$GROUPIE'."
+ fi
+ if ! echo "GRANT USAGE ON SCHEMA depolymerizer_bitcoin TO \"$GROUPIE\"" |
+ sudo -i -u postgres psql "$DBNAME"; then
+ exit_fail "Failed to grant usage privilege on schema 'depolymerizer_bitcoin' to '$GROUPIE'."
fi
- if ! echo "GRANT ROLE \"$DBGROUP\" ON SCHEMA exchange TO \"$GROUPIE\"" |
+ if ! echo "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA depolymerizer_bitcoin TO \"$GROUPIE\"" |
sudo -i -u postgres psql "$DBNAME"; then
- exit_fail "Failed to make '$GROUPIE' part of '$DBGROUP' db group."
+ exit_fail "Failed to grant access to schema 'depolymerizer_bitcoin' to '$GROUPIE'."
fi
done
fi
diff --git a/debian/depolymerizer-bitcoin.depolymerizer-bitcoin-node.service b/debian/depolymerizer-bitcoin.depolymerizer-bitcoin-node.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=Bitcoin daemon
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/bitcoind -pid=/run/bitcoind/bitcoind.pid \
+ -conf=/etc/bitcoind/bitcoin.conf \
+ -datadir=/var/lib/bitcoind \
+ -startupnotify='systemd-notify --ready' \
+ -shutdownnotify='systemd-notify --stopping'
+
+User=depolymerizer-bitcoin-node
+Group=depolymerizer-bitcoin-cookie
+
+Restart=on-failure
+TimeoutStartSec=infinity
+TimeoutStopSec=600
+
+# /run/bitcoind
+RuntimeDirectory=bitcoind
+RuntimeDirectoryMode=0710
+
+# /etc/bitcoind
+ConfigurationDirectory=bitcoind
+ConfigurationDirectoryMode=0710
+
+# /var/lib/bitcoind
+StateDirectory=bitcoind
+StateDirectoryMode=0750
+
+StandardOutput=journal
+StandardError=journal
+
+PrivateTmp=true
+ProtectHome=full
+ProtectSystem=true
+NoNewPrivileges=true
+PrivateDevices=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
+\ No newline at end of file
diff --git a/debian/depolymerizer-bitcoin.postinst b/debian/depolymerizer-bitcoin.postinst
@@ -5,21 +5,33 @@ set -e
# Group with access to our database
_DBGROUP=depolymerizer-bitcoin-db
+# Group with access to the bitcoind cookie
+_COOKIEGROUP=depolymerizer-bitcoin-cookie
+
# Different users for the different components
_HTTPDUSER=depolymerizer-bitcoin-httpd
_WORKERUSER=depolymerizer-bitcoin-worker
+_NODEUSER=depolymerizer-bitcoin-node
if [ "$1" = "configure" ] ; then
- # Create taler groups as needed
+ # Create groups as needed
if ! getent group ${_DBGROUP} >/dev/null; then
addgroup --quiet --system ${_DBGROUP}
fi
+ if ! getent group ${_COOKIEGROUP} >/dev/null; then
+ addgroup --quiet --system ${_COOKIEGROUP}
+ fi
# Create users as needed
if ! getent passwd ${_HTTPDUSER} >/dev/null; then
- adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} ${_HTTPDUSER}
+ adduser --quiet --system --no-create-home ${_HTTPDUSER}
fi
+ sudo usermod -aG ${_DBGROUP} ${_HTTPDUSER}
if ! getent passwd ${_WORKERUSER} >/dev/null; then
- adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} ${_WORKERUSER}
+ adduser --quiet --system --no-create-home ${_WORKERUSER}
+ fi
+ sudo usermod -aG ${_DBGROUP},${_COOKIEGROUP} ${_WORKERUSER}
+ if ! getent passwd ${_NODEUSER} >/dev/null; then
+ adduser --quiet --system --no-create-home ${_NODEUSER}
fi
# Update secret files permissions
diff --git a/debian/depolymerizer-bitcoin.postrm b/debian/depolymerizer-bitcoin.postrm
@@ -5,9 +5,13 @@ set -e
# Group with access to our database
_DBGROUP=depolymerizer-bitcoin-db
+# Group with access to the bitcoind cookie
+_COOKIEGROUP=depolymerizer-bitcoin-cookie
+
# Different users for the different components
_HTTPDUSER=depolymerizer-bitcoin-httpd
_WORKERUSER=depolymerizer-bitcoin-worker
+_NODEUSER=depolymerizer-bitcoin-node
if [ "$1" = "purge" ] ; then
# Remove permissions override
@@ -17,8 +21,10 @@ if [ "$1" = "purge" ] ; then
# Remove users
deluser --quiet --system ${_HTTPDUSER} || true
deluser --quiet --system ${_WORKERUSER} || true
+ deluser --quiet --system ${_NODEUSER} || true
# Remove groups
delgroup --only-if-empty --quiet ${_DBGROUP} || true
+ delgroup --only-if-empty --quiet ${_COOKIEGROUP} || true
fi
#DEBHELPER#
diff --git a/debian/depolymerizer-bitcoin.tmpfiles b/debian/depolymerizer-bitcoin.tmpfiles
@@ -0,0 +1,2 @@
+# Type Path Mode UID GID Age Argument
+d /var/lib/bitcoind 0740 depolymerizer-bitcoin-node depolymerizer-bitcoin-cookie - -
diff --git a/debian/etc/bitcoind/bitcoin.conf b/debian/etc/bitcoind/bitcoin.conf
@@ -0,0 +1,4 @@
+txindex=1 # Enable full transaction indexes
+rpcservertimeout=0 # Disable RPC timeout
+rpccookieperms=group # Allow access to depolymerizer-bitcoin-cookie users
+datadir=/var/lib/bitcoind # For bitcoin-cli
+\ No newline at end of file
diff --git a/debian/etc/depolymerizer-bitcoin/conf.d/depolymerizer-bitcoin-httpd.conf b/debian/etc/depolymerizer-bitcoin/conf.d/depolymerizer-bitcoin-httpd.conf
@@ -2,8 +2,4 @@
[depolymerizer-bitcoin-httpd-wire-gateway-api]
# ENABLED = YES
-@inline-secret@ depolymerizer-bitcoin-httpd-wire-gateway-api ../secrets/depolymerizer-bitcoin-httpd.secret.conf
-
-[depolymerizer-bitcoin-httpd-revenue-api]
-# ENABLED = YES
-@inline-secret@ depolymerizer-bitcoin-httpd-revenue-api ../secrets/depolymerizer-bitcoin-httpd.secret.conf
-\ No newline at end of file
+@inline-secret@ depolymerizer-bitcoin-httpd-wire-gateway-api ../secrets/depolymerizer-bitcoin-httpd.secret.conf
+\ No newline at end of file
diff --git a/debian/etc/depolymerizer-bitcoin/conf.d/depolymerizer-bitcoin-worker.conf b/debian/etc/depolymerizer-bitcoin/conf.d/depolymerizer-bitcoin-worker.conf
@@ -1,5 +1,6 @@
# Configuration the bitcoin depolymerizer worker.
[depolymerizer-bitcoin-worker]
+RPC_COOKIE_FILE = /var/lib/bitcoind/.cookie
WALLET_NAME =
@inline-secret@ depolymerizer-bitcoin-worker ../secrets/depolymerizer-bitcoin-worker.secret.conf
\ No newline at end of file
diff --git a/debian/etc/depolymerizer-bitcoin/depolymerizer-bitcoin.conf b/debian/etc/depolymerizer-bitcoin/depolymerizer-bitcoin.conf
@@ -23,4 +23,9 @@
@inline-matching@ conf.d/*.conf
# Overrides from tools that help with configuration.
-@inline@ overrides.conf
-\ No newline at end of file
+@inline@ overrides.conf
+
+[depolymerizer-bitcoin]
+CURRENCY =
+WALLET =
+NAME =
+\ No newline at end of file
diff --git a/debian/etc/depolymerizer-bitcoin/secrets/depolymerizer-bitcoin-httpd.secret.conf b/debian/etc/depolymerizer-bitcoin/secrets/depolymerizer-bitcoin-httpd.secret.conf
@@ -1,7 +1,3 @@
[depolymerizer-bitcoin-httpd-wire-gateway-api]
# AUTH_METHOD = bearer
-# TOKEN =
-
-[depolymerizer-bitcoin-httpd-revenue-api]
-# AUTH_METHOD = bearer
# TOKEN =
\ No newline at end of file
diff --git a/depolymerizer-bitcoin/Cargo.toml b/depolymerizer-bitcoin/Cargo.toml
@@ -51,7 +51,8 @@ maintainer-scripts = "../debian/"
systemd-units = [
{ unit-name = "depolymerizer-bitcoin", enable = false, start = false, stop-on-upgrade = false },
{ unit-name = "depolymerizer-bitcoin-httpd", enable = false, start = false, stop-on-upgrade = false },
- { unit-name = "depolymerizer-bitcoinworker", enable = false, start = false, stop-on-upgrade = false },
+ { unit-name = "depolymerizer-bitcoin-worker", enable = false, start = false, stop-on-upgrade = false },
+ { unit-name = "depolymerizer-bitcoin-node", enable = false, start = false, stop-on-upgrade = false },
]
recommends = ["nginx | apache2 | httpd", "postgresql (>= 15.0)"]
assets = [
diff --git a/depolymerizer-bitcoin/depolymerizer-bitcoin.conf b/depolymerizer-bitcoin/depolymerizer-bitcoin.conf
@@ -12,21 +12,16 @@ WALLET_NAME =
# Password of the encrypted wallet
PASSWORD =
-# Number of blocks to consider a transaction confirmed
+# Number of blocks to consider a transactions durable
CONFIRMATION = 6
# An additional fee to deduce from the bounced amount
# BOUNCE_FEE = BTC:0
-# Specify the account type and therefore the indexing behavior.
-# This can either can be normal or exchange.
-# Exchange accounts bounce invalid incoming Taler transactions.
-ACCOUNT_TYPE = exchange
-
-# Number of worker's loops before worker shutdown
+# Number of worker's loops before worker shutdown (0 means never)
LIFETIME = 0
-# Delay in seconds before bumping an unconfirmed transaction fee (0 mean never)
+# Delay in seconds before bumping an unconfirmed transaction fee (0 means never)
BUMP_DELAY = 0
# RPC server address
@@ -60,7 +55,7 @@ BIND_TO = 0.0.0.0
# What should be the file access permissions for UNIXPATH? Only used if SERVE is unix.
# UNIXPATH_MODE = 660
-# Number of requests to serve before server shutdown (0 mean never)
+# Number of requests to serve before server shutdown (0 means never)
LIFETIME = 0
[depolymerizer-bitcoin-httpd-wire-gateway-api]
diff --git a/depolymerizer-bitcoin/src/cli.rs b/depolymerizer-bitcoin/src/cli.rs
@@ -114,7 +114,7 @@ pub async fn run(cmd: Command, cfg: &Config) -> anyhow::Result<()> {
Command::Serve { check } => {
if check {
let cfg = ServeCfg::parse(cfg)?;
- if cfg.revenue.is_none() && cfg.wire_gateway.is_none() {
+ if cfg.wire_gateway.is_none() {
std::process::exit(1);
}
} else {
diff --git a/depolymerizer-bitcoin/src/config.rs b/depolymerizer-bitcoin/src/config.rs
@@ -55,7 +55,6 @@ pub struct ServeCfg {
pub payto: PaytoURI,
pub serve: Serve,
pub wire_gateway: Option<ApiCfg>,
- pub revenue: Option<ApiCfg>,
pub currency: Currency,
pub lifetime: Option<u32>,
}
@@ -72,7 +71,6 @@ impl ServeCfg {
let wire_gateway =
ApiCfg::parse(cfg.section("depolymerizer-bitcoin-httpd-wire-gateway-api"))?;
- let revenue = ApiCfg::parse(cfg.section("depolymerizer-bitcoin-httpd-revenue-api"))?;
let sect = cfg.section("depolymerizer-bitcoin");
Ok(Self {
@@ -81,7 +79,6 @@ impl ServeCfg {
payto: payto.as_payto(),
serve,
wire_gateway,
- revenue,
})
}
}
