feat: Phase 1 — per-installation credential generation, eliminate hardcoded passwords

Generate unique random passwords at first boot for Bitcoin RPC, all database
services (mempool, btcpay, immich, penpot, mysql-root), and Fedimint gateway.
Credentials stored in /var/lib/archipelago/secrets/ with 600 permissions.

Scripts: first-boot-containers.sh, deploy-to-target.sh, deploy-bitcoin-knots.sh,
container-doctor.sh all read from secrets files instead of hardcoded values.

Rust backend: new bitcoin_rpc module reads password from secrets file, env var,
or dev fallback. All .basic_auth() calls and container config strings now use
the shared credential reader instead of hardcoded "archipelago123".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-18 00:39:52 +00:00
parent f273816405
commit 809a976960
12 changed files with 1804 additions and 251 deletions

View File

@@ -9,6 +9,16 @@
set -e
# Read per-installation Bitcoin RPC credentials
SECRETS_DIR="/var/lib/archipelago/secrets"
sudo mkdir -p "$SECRETS_DIR" && sudo chmod 700 "$SECRETS_DIR"
if [ ! -f "$SECRETS_DIR/bitcoin-rpc-password" ]; then
openssl rand -base64 24 | sudo tee "$SECRETS_DIR/bitcoin-rpc-password" > /dev/null
sudo chmod 600 "$SECRETS_DIR/bitcoin-rpc-password"
fi
BITCOIN_RPC_USER="archipelago"
BITCOIN_RPC_PASS=$(sudo cat "$SECRETS_DIR/bitcoin-rpc-password")
echo "╔════════════════════════════════════════════════════════════════╗"
echo "║ Deploying Bitcoin Knots with Web UI ║"
echo "╚════════════════════════════════════════════════════════════════╝"
@@ -44,7 +54,7 @@ sudo podman run -d \
-rpcallowip=0.0.0.0/0 \
-rpcbind=0.0.0.0:8332 \
-rpcuser=archipelago \
-rpcpassword=archipelago123 \
-rpcpassword=$BITCOIN_RPC_PASS \
-dbcache=4096
echo " ✅ Bitcoin Knots node starting"
@@ -115,7 +125,7 @@ echo " • Network: Port 8333 (Bitcoin P2P)"
echo ""
echo "📝 RPC Credentials:"
echo " • User: archipelago"
echo " • Pass: archipelago123"
echo " • Pass: (stored in /var/lib/archipelago/secrets/bitcoin-rpc-password)"
echo ""
echo "⏰ Blockchain sync will take several hours to days."
echo " Check progress: sudo podman logs -f bitcoin-knots"