init: dcrd, dcrwallet, and dcrctl at 2.0.6. init modules for dcrd and dcrwallet
This commit is contained in:
@@ -0,0 +1,49 @@
|
||||
# dcrd options
|
||||
|
||||
`dcrd` uses rpc credentials, so it's recommended to secure your secrets using a tool like [sops-nix](https://github.com/Mic92/sops-nix).
|
||||
|
||||
## sops-nix
|
||||
|
||||
Render `dcrd.conf` with `sops-nix` and point the service at it. Example:
|
||||
|
||||
```nix
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
# Define credentials as secrets
|
||||
sops.secrets."dcrd/rpcuser" = {};
|
||||
sops.secrets."dcrd/rpcpass" = {};
|
||||
|
||||
# Render dcrd.conf owned by the dcrd service user/group
|
||||
sops.templates."dcrd.conf" = {
|
||||
owner = config.services.dcrd.user;
|
||||
group = config.services.dcrd.group;
|
||||
mode = "0440";
|
||||
restartUnits = [ "dcrd.service" ];
|
||||
content = ''
|
||||
[Application Options]
|
||||
# example settings
|
||||
rpcuser=${config.sops.placeholder."dcrd/rpcuser"}
|
||||
rpcpass=${config.sops.placeholder."dcrd/rpcpass"}
|
||||
'';
|
||||
};
|
||||
|
||||
# Ensure dcrd only starts when the config exists
|
||||
systemd.services.dcrd.unitConfig.ConditionPathExists =
|
||||
config.sops.templates."dcrd.conf".path;
|
||||
|
||||
# Point the module to the rendered config
|
||||
services.dcrd = {
|
||||
enable = true;
|
||||
configFile = config.sops.templates."dcrd.conf".path;
|
||||
};
|
||||
|
||||
}
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
Instead of using DynamicUser, the module necessarily runs `dcrd` as a fixed `User`/`Group` and uses a non-private state directory so `rpc.cert` can be read by intended consumers.
|
||||
|
||||
- `dcrd` writes `rpc.cert` into its data dir (`--appdata`, defaulting to `/var/lib/dcrd`).
|
||||
- Consumers (e.g., wallets, tooling) often need to read `rpc.cert` without elevated privileges.
|
||||
- With `DynamicUser=true`, systemd places state under `/var/lib/private/dcrd` and uses an ephemeral UID, which prevents other users/services from traversing the directory and reading `rpc.cert`.
|
||||
@@ -0,0 +1,95 @@
|
||||
# dcrwallet options
|
||||
|
||||
`dcrwallet` uses rpc credentials, so it's recommended to secure your secrets using a tool like [sops-nix](https://github.com/Mic92/sops-nix).
|
||||
|
||||
## sops-nix
|
||||
|
||||
Render `dcrwallet.conf` with `sops-nix` and point the service at it. For example, here's a sample configuration for a voting wallet:
|
||||
|
||||
```nix
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
# Define credentials as secrets
|
||||
sops.secrets."dcrwallet/rpcuser" = {};
|
||||
sops.secrets."dcrwallet/rpcpass" = {};
|
||||
|
||||
sops.templates."dcrctl.conf" = {
|
||||
path = "/home/operator/.dcrctl/dcrctl.conf";
|
||||
owner = "operator";
|
||||
group = "users";
|
||||
mode = "0400";
|
||||
content = ''
|
||||
[Application Options]
|
||||
rpcuser=${config.sops.placeholder."dcrwallet/rpcuser"}
|
||||
rpcpass=${config.sops.placeholder."dcrwallet/rpcpass"}
|
||||
rpccert=/var/lib/dcrwallet/rpc.cert
|
||||
wallet=1
|
||||
'';
|
||||
};
|
||||
sops.templates."dcrwallet.conf" = {
|
||||
owner = config.services.dcrwallet.user;
|
||||
group = config.services.dcrwallet.group;
|
||||
mode = "0440";
|
||||
restartUnits = [ "dcrwallet.service" ];
|
||||
content = ''
|
||||
[Application Options]
|
||||
CAFile=/var/lib/dcrd/rpc.cert
|
||||
rpclisten=0.0.0.0:9110
|
||||
username=${config.sops.placeholder."dcrwallet/rpcpass"}
|
||||
password=${config.sops.placeholder."dcrwallet/rpcpass"}
|
||||
enablevoting=1
|
||||
manualtickets=1
|
||||
'';
|
||||
};
|
||||
|
||||
# Ensure dcrwallet only starts when the config exists
|
||||
systemd.services.dcrwallet.unitConfig.ConditionPathExists = config.sops.templates."dcrwallet.conf".path;
|
||||
|
||||
services.dcrwallet = {
|
||||
enable = true;
|
||||
configFile = config.sops.templates."dcrwallet.conf".path;
|
||||
extraPackages = [
|
||||
pkgs.dcrctl
|
||||
pkgs.dcrd # promptsecret
|
||||
];
|
||||
operator = {
|
||||
enable = true;
|
||||
name = "stakey";
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Initialization
|
||||
|
||||
If you run dcrwallet as a service, here's how to intialize a wallet as `root`.
|
||||
|
||||
```bash
|
||||
cd /var/lib/dcrwallet
|
||||
export DCRWALLET_BIN=$(systemctl cat --runtime dcrwallet.service | grep ExecStart | awk '{print $1}' | cut -d= -f2)
|
||||
doas -u dcrwallet $DCRWALLET_BIN \
|
||||
--configfile=/run/secrets/rendered/dcrwallet.conf \
|
||||
--appdata=/var/lib/dcrwallet \
|
||||
--create
|
||||
```
|
||||
|
||||
Then you need to start dcrwallet manually the first time to sync.
|
||||
|
||||
```sh
|
||||
tmux new "doas -u dcrwallet $DCRWALLET_BIN --configfile=/run/secrets/rendered/dcrwallet.conf --appdata=/var/lib/dcrwallet"
|
||||
```
|
||||
|
||||
## Using the operator
|
||||
|
||||
```sh
|
||||
su - operator
|
||||
dcrctl help
|
||||
```
|
||||
|
||||
## Enable Voting
|
||||
|
||||
Use the operator account.
|
||||
|
||||
```sh
|
||||
promptsecret | dcrwallet walletpassphrase - 0
|
||||
```
|
||||
Reference in New Issue
Block a user