Worker setup: fetch the stratum access-password → default-on stratum auth (Pithead #208 · #152 Phase 2)

[VijitSingh97]

Why

Phase 1 of authenticated stratum shipped on the Pithead side (#152 / p2pool-starter-stack/pithead#207): p2pool.stratum_password is an opt-in, default-off knob where a security-conscious operator sets each rig's xmrig pass by hand.

Phase 2 (this issue — the RigForge side): make it the zero-friction default. RigForge's worker provisioning already takes the stack hostname at setup — it should also retrieve the stratum password and write it into each rig's xmrig pass. Then Pithead can auto-generate the secret ("auto") and the whole stack ships with authenticated stratum on by default, the way PROXY_AUTH_TOKEN is already auto-managed — no manual rig edits.

This is the RigForge-side implementation of p2pool-starter-stack/pithead#208, which is the Pithead-side tracker (Pithead v1.1).

Scope

• At rigforge.sh setup, retrieve the stratum secret from the stack host — it lives in Pithead's .env as PROXY_STRATUM_PASSWORD and is surfaced by pithead status — and render it into the worker's xmrig pass.
• Rotation: if the operator regenerates the secret, workers need to re-fetch — define and document the refresh story.
• Cleartext-aware: this is LAN access control, not encryption (a TLS-on-stratum follow-on would pair with it).
• Open question (from pithead#208): exactly how the rig kit retrieves the secret from the stack host at setup (manual paste vs. a fetch endpoint).

Acceptance criteria

• Worker setup can fetch the stratum password from the stack host and write it into xmrig pass.
• Supports Pithead's "auto"-generated secret so stratum auth is on by default end-to-end.
• Rotation / refresh path defined and documented.
• Docs (docs/pithead-integration.md) cover retrieval + rotation.

Related

• RigForge: fetch the stratum access-password at worker setup → default-on stratum auth (Phase 2 of #152) pithead#208 — Pithead-side tracker.
• Honor & document the Pithead worker-API contract (port 8080 · token = rig name · restricted=true) #24 / Lock down the XMRig HTTP API on Linux (currently 0.0.0.0 + unrestricted + guessable token) #7 — the worker-API contract + API lockdown this sits alongside.