From 7c70dd43acb1fdb75d43d0bcef570e3daffeb1e4 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Tue, 5 May 2020 15:18:41 +0200 Subject: [PATCH] All modules: Give service config precedence over defaultHardening With '//' the latter takes precedence over the former in case of equally named attributes. --- modules/bitcoind.nix | 10 ++++------ modules/clightning.nix | 5 ++--- modules/electrs.nix | 5 ++--- modules/lightning-charge.nix | 5 ++--- modules/liquid.nix | 5 ++--- modules/lnd.nix | 5 ++--- modules/nanopos.nix | 5 ++--- modules/nix-bitcoin-webindex.nix | 5 ++--- modules/onion-chef.nix | 4 ++-- modules/recurring-donations.nix | 5 ++--- modules/spark-wallet.nix | 5 ++--- 11 files changed, 24 insertions(+), 35 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 7d9d031..1f3a7ae 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -282,7 +282,7 @@ in { sleep 0.05 done ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { User = "${cfg.user}"; Group = "${cfg.group}"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; @@ -291,8 +291,7 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP) // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol; @@ -320,11 +319,10 @@ in { fi done ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { User = "${cfg.user}"; Group = "${cfg.group}"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.allowTor; + } // nix-bitcoin-services.allowTor; }; users.users.${cfg.user} = { diff --git a/modules/clightning.nix b/modules/clightning.nix index 4a08ae0..602b635 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -93,14 +93,13 @@ in { chmod 600 ${cfg.dataDir}/config echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { PermissionsStartOnly = "true"; ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/electrs.nix b/modules/electrs.nix index 5b62149..1c6df3b 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -74,7 +74,7 @@ in { echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \ > electrs.toml ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { RuntimeDirectory = "electrs"; RuntimeDirectoryMode = "700"; WorkingDirectory = "/run/electrs"; @@ -96,8 +96,7 @@ in { Group = cfg.group; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 0da37c3..ccf11bc 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -50,15 +50,14 @@ in { chmod 600 ${cfg.dataDir}/lightning-charge.db fi ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { PermissionsStartOnly = "true"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db"; User = user; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; nix-bitcoin.secrets.lightning-charge-env.user = user; diff --git a/modules/liquid.nix b/modules/liquid.nix index 2bb604e..d5a7413 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -215,7 +215,7 @@ in { echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { Type = "simple"; User = "${cfg.user}"; Group = "${cfg.group}"; @@ -226,8 +226,7 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/lnd.nix b/modules/lnd.nix index 3df08b6..d5d41e3 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -91,14 +91,13 @@ in { chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf' ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { PermissionsStartOnly = "true"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; User = "lnd"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ diff --git a/modules/nanopos.nix b/modules/nanopos.nix index 2fa5894..6cc1529 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -58,14 +58,13 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "lightning-charge.service" ]; after = [ "lightning-charge.service" ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env"; ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; User = "nanopos"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; users.users.nanopos = { diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix index 6eb8a02..be64f6d 100644 --- a/modules/nix-bitcoin-webindex.nix +++ b/modules/nix-bitcoin-webindex.nix @@ -81,15 +81,14 @@ in { jq sudo ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}"; User = "root"; Type = "simple"; RemainAfterExit="yes"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix index df9c36f..a5084a3 100644 --- a/modules/onion-chef.nix +++ b/modules/onion-chef.nix @@ -73,11 +73,11 @@ in { wantedBy = [ "tor.service" ]; bindsTo = [ "tor.service" ]; after = [ "tor.service" ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; Type = "oneshot"; RemainAfterExit = true; - } // nix-bitcoin-services.defaultHardening; + }; }; }; } diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index dcc61a6..659891a 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -90,12 +90,11 @@ in { requires = [ "clightning.service" ]; after = [ "clightning.service" ]; path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; User = "recurring-donations"; Type = "oneshot"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.allowTor; + } // nix-bitcoin-services.allowTor; }; systemd.timers.recurring-donations = { requires = [ "clightning.service" ]; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index a4b5319..8c506a1 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -71,14 +71,13 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "clightning.service" ] ++ onion-chef-service; after = [ "clightning.service" ] ++ onion-chef-service; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { PermissionsStartOnly = "true"; ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}"; User = "spark-wallet"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";