feat: Phase 1 — per-installation credential generation, eliminate hardcoded passwords
Generate unique random passwords at first boot for Bitcoin RPC, all database services (mempool, btcpay, immich, penpot, mysql-root), and Fedimint gateway. Credentials stored in /var/lib/archipelago/secrets/ with 600 permissions. Scripts: first-boot-containers.sh, deploy-to-target.sh, deploy-bitcoin-knots.sh, container-doctor.sh all read from secrets files instead of hardcoded values. Rust backend: new bitcoin_rpc module reads password from secrets file, env var, or dev fallback. All .basic_auth() calls and container config strings now use the shared credential reader instead of hardcoded "archipelago123". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -9,6 +9,16 @@
|
||||
|
||||
set -e
|
||||
|
||||
# Read per-installation Bitcoin RPC credentials
|
||||
SECRETS_DIR="/var/lib/archipelago/secrets"
|
||||
sudo mkdir -p "$SECRETS_DIR" && sudo chmod 700 "$SECRETS_DIR"
|
||||
if [ ! -f "$SECRETS_DIR/bitcoin-rpc-password" ]; then
|
||||
openssl rand -base64 24 | sudo tee "$SECRETS_DIR/bitcoin-rpc-password" > /dev/null
|
||||
sudo chmod 600 "$SECRETS_DIR/bitcoin-rpc-password"
|
||||
fi
|
||||
BITCOIN_RPC_USER="archipelago"
|
||||
BITCOIN_RPC_PASS=$(sudo cat "$SECRETS_DIR/bitcoin-rpc-password")
|
||||
|
||||
echo "╔════════════════════════════════════════════════════════════════╗"
|
||||
echo "║ Deploying Bitcoin Knots with Web UI ║"
|
||||
echo "╚════════════════════════════════════════════════════════════════╝"
|
||||
@@ -44,7 +54,7 @@ sudo podman run -d \
|
||||
-rpcallowip=0.0.0.0/0 \
|
||||
-rpcbind=0.0.0.0:8332 \
|
||||
-rpcuser=archipelago \
|
||||
-rpcpassword=archipelago123 \
|
||||
-rpcpassword=$BITCOIN_RPC_PASS \
|
||||
-dbcache=4096
|
||||
|
||||
echo " ✅ Bitcoin Knots node starting"
|
||||
@@ -115,7 +125,7 @@ echo " • Network: Port 8333 (Bitcoin P2P)"
|
||||
echo ""
|
||||
echo "📝 RPC Credentials:"
|
||||
echo " • User: archipelago"
|
||||
echo " • Pass: archipelago123"
|
||||
echo " • Pass: (stored in /var/lib/archipelago/secrets/bitcoin-rpc-password)"
|
||||
echo ""
|
||||
echo "⏰ Blockchain sync will take several hours to days."
|
||||
echo " Check progress: sudo podman logs -f bitcoin-knots"
|
||||
|
||||
Reference in New Issue
Block a user