nix-bitcoin/modules/nix-bitcoin-services.nix

# See `man systemd.exec` and `man systemd.resource-control` for an explanation
# of the various systemd options available through this module.

lib: pkgs:

with lib;
{
  # These settings roughly follow systemd's "strict" security profile
  defaultHardening = {
      PrivateTmp = "true";
      ProtectSystem = "strict";
      ProtectHome = "true";
      NoNewPrivileges = "true";
      PrivateDevices = "true";
      MemoryDenyWriteExecute = "true";
      ProtectKernelTunables = "true";
      ProtectKernelModules = "true";
      ProtectControlGroups = "true";
      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
      RestrictNamespaces = "true";
      LockPersonality = "true";
      IPAddressDeny = "any";
      PrivateUsers = "true";
      RestrictSUIDSGID = "true";
      RemoveIPC = "true";
      RestrictRealtime = "true";
      ProtectHostname = "true";
      CapabilityBoundingSet = "";
      # @system-service whitelist and docker seccomp blacklist (except for "clone"
      # which is a core requirement for systemd services)
      SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
      SystemCallArchitectures= "native";
  };

  # nodejs applications apparently rely on memory write execute
  nodejs = { MemoryDenyWriteExecute = "false"; };
  # Allow tor traffic. Allow takes precedence over Deny.
  allowTor = {
    IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
  };
  # Allow any traffic
  allowAnyIP = { IPAddressAllow = "any"; };
  allowAnyProtocol = { RestrictAddressFamilies = "~"; };

  enforceTor = mkOption {
    type = types.bool;
    default = false;
    description = ''
      "Whether to force Tor on a service by only allowing connections from and
      to 127.0.0.1;";
    '';
  };

  script = src: pkgs.writers.writeBash "script" ''
    set -eo pipefail
    ${src}
  '';
}
Refer to systemd man pages for hardening options 2019-08-19 13:44:10 -07:00			# See `man systemd.exec` and `man systemd.resource-control` for an explanation
			`# of the various systemd options available through this module.`

lnd: add strict hardening Add ProtectSystem=strict, remove PermissionStartOnly. Extract the section of postStart that needs secrets dir write access into a separate script with full privileges. Simplify preStart and fix dataDir quoting. 2020-05-22 06:59:18 -07:00			`lib: pkgs:`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00
			`with lib;`
nix-bitcoin-services: simplify formatting 2019-11-27 05:04:22 -08:00			`{`
service hardening: replace obtuse SystemCallFilter with @system-service @system-service whitelist and additional https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile blacklist. 2020-05-06 01:57:48 -07:00			`# These settings roughly follow systemd's "strict" security profile`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`defaultHardening = {`
			`PrivateTmp = "true";`
All modules: ProtectSystem = strict Add ReadWritePaths in all modules, except lnd which has ProtectSystem = full. 2020-05-05 08:15:16 -07:00			`ProtectSystem = "strict";`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`ProtectHome = "true";`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`NoNewPrivileges = "true";`
			`PrivateDevices = "true";`
			`MemoryDenyWriteExecute = "true";`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`ProtectKernelTunables = "true";`
			`ProtectKernelModules = "true";`
			`ProtectControlGroups = "true";`
			`RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";`
Restrict namespaces for systemd services by default 2019-04-28 06:11:27 -07:00			`RestrictNamespaces = "true";`
Fix memory deny write execute for nodejs services 2019-04-27 15:27:25 -07:00			`LockPersonality = "true";`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00			`IPAddressDeny = "any";`
service hardening: Add PrivateUsers Exceptions in webindex & onion-chef 2020-05-06 01:28:00 -07:00			`PrivateUsers = "true";`
service hardening: add more restrictions Add RestrictSUIDSGID Add RemoveIPC Add RestrictRealtime Add ProtectHostname 2020-05-06 01:19:14 -07:00			`RestrictSUIDSGID = "true";`
			`RemoveIPC = "true";`
			`RestrictRealtime = "true";`
			`ProtectHostname = "true";`
service hardening: Add CapabilityBoundingSets Whitelist with exceptions in webindex and onion-chef 2020-05-05 06:27:07 -07:00			`CapabilityBoundingSet = "";`
service hardening: replace obtuse SystemCallFilter with @system-service @system-service whitelist and additional https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile blacklist. 2020-05-06 01:57:48 -07:00			`# @system-service whitelist and docker seccomp blacklist (except for "clone"`
			`# which is a core requirement for systemd services)`
			`SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];`
Limit syscalls with Docker whitelist 2019-05-01 01:20:31 -07:00			`SystemCallArchitectures= "native";`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`};`
nix-bitcoin-services: simplify formatting 2019-11-27 05:04:22 -08:00
Rename service settings for 'node' to 'nodejs' to avoid confusion 2019-05-03 03:44:16 -07:00			`# nodejs applications apparently rely on memory write execute`
			`nodejs = { MemoryDenyWriteExecute = "false"; };`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00			`# Allow tor traffic. Allow takes precedence over Deny.`
Fix electrum after disallowing anything but localhost by adding ipv6 local address 2019-04-28 11:54:13 -07:00			`allowTor = {`
netns-isolation: netns architecture - Adds network namespace instantiation and routing architecture. - netns-isolation disabled by default. Can be enabled with configuration.nix FIXME. - Uses mkMerge to toggle certain options for non netns and netns systems. - Adds security wrapper for netns-exec which allows operator to exec with cap_sys_admin - User can select the 169.254.N.0/24 addressblock netns's are created in. - nix-bitcoin-services IpAddressAllow is amended with link-local addresses 2020-05-29 03:53:35 -07:00			`IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";`
Fix electrum after disallowing anything but localhost by adding ipv6 local address 2019-04-28 11:54:13 -07:00			`};`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00			`# Allow any traffic`
			`allowAnyIP = { IPAddressAllow = "any"; };`
Add allowAnyProtocol option to nix-bitcoin-services 2019-08-19 14:11:08 -07:00			`allowAnyProtocol = { RestrictAddressFamilies = "~"; };`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00
Fix identation 2019-08-07 05:52:34 -07:00			`enforceTor = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`"Whether to force Tor on a service by only allowing connections from and`
			`to 127.0.0.1;";`
			`'';`
			`};`
lnd: add strict hardening Add ProtectSystem=strict, remove PermissionStartOnly. Extract the section of postStart that needs secrets dir write access into a separate script with full privileges. Simplify preStart and fix dataDir quoting. 2020-05-22 06:59:18 -07:00
			`script = src: pkgs.writers.writeBash "script" ''`
			`set -eo pipefail`
			`${src}`
			`'';`
Move service hardening flags into separate file 2019-04-27 12:21:45 -07:00			`}`