greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

All modules: Give service config precedence over defaultHardening

Browse Source 
With '//' the latter takes precedence over the former in case of
equally named attributes.
This commit is contained in:
nixbitcoin 2020-05-05 15:18:41 +02:00
parent 0ac1e496b2
commit 7c70dd43ac
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
11 changed files with 24 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/bitcoind.nix
View File

@ -282,7 +282,7 @@ in {
sleep 0.05 sleep 0.05
done done
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
@ -291,8 +291,7 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP) else nix-bitcoin-services.allowAnyIP)
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol; // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol;
@ -320,11 +319,10 @@ in {
fi fi
done done
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
} // nix-bitcoin-services.defaultHardening } // nix-bitcoin-services.allowTor;
// nix-bitcoin-services.allowTor;
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {

5
modules/clightning.nix
View File

@ -93,14 +93,13 @@ in {
chmod 600 ${cfg.dataDir}/config chmod 600 ${cfg.dataDir}/config
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}";
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );

5
modules/electrs.nix
View File

@ -74,7 +74,7 @@ in {
echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \ echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
> electrs.toml > electrs.toml
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
RuntimeDirectory = "electrs"; RuntimeDirectory = "electrs";
RuntimeDirectoryMode = "700"; RuntimeDirectoryMode = "700";
WorkingDirectory = "/run/electrs"; WorkingDirectory = "/run/electrs";
@ -96,8 +96,7 @@ in {
Group = cfg.group; Group = cfg.group;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );

5
modules/lightning-charge.nix
View File

@ -50,15 +50,14 @@ in {
chmod 600 ${cfg.dataDir}/lightning-charge.db chmod 600 ${cfg.dataDir}/lightning-charge.db
fi fi
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db"; ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
User = user; User = user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // nix-bitcoin-services.nodejs
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor; // nix-bitcoin-services.allowTor;
}; };
nix-bitcoin.secrets.lightning-charge-env.user = user; nix-bitcoin.secrets.lightning-charge-env.user = user;

5
modules/liquid.nix
View File

@ -215,7 +215,7 @@ in {
echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf'
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
Type = "simple"; Type = "simple";
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
@ -226,8 +226,7 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );

5
modules/lnd.nix
View File

@ -91,14 +91,13 @@ in {
chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf' echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf'
''; '';
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
User = "lnd"; User = "lnd";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ ) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ

5
modules/nanopos.nix
View File

@ -58,14 +58,13 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "lightning-charge.service" ]; requires = [ "lightning-charge.service" ];
after = [ "lightning-charge.service" ]; after = [ "lightning-charge.service" ];
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env";
ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11";
User = "nanopos"; User = "nanopos";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // nix-bitcoin-services.nodejs
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor; // nix-bitcoin-services.allowTor;
}; };
users.users.nanopos = { users.users.nanopos = {

5
modules/nix-bitcoin-webindex.nix
View File

@ -81,15 +81,14 @@ in {
jq jq
sudo sudo
]; ];
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}"; ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}";
User = "root"; User = "root";
Type = "simple"; Type = "simple";
RemainAfterExit="yes"; RemainAfterExit="yes";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // (if cfg.enforceTor
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP
); );

4
modules/onion-chef.nix
View File

@ -73,11 +73,11 @@ in {
wantedBy = [ "tor.service" ]; wantedBy = [ "tor.service" ];
bindsTo = [ "tor.service" ]; bindsTo = [ "tor.service" ];
after = [ "tor.service" ]; after = [ "tor.service" ];
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
} // nix-bitcoin-services.defaultHardening; };
}; };
}; };
} }

5
modules/recurring-donations.nix
View File

@ -90,12 +90,11 @@ in {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];
after = [ "clightning.service" ]; after = [ "clightning.service" ];
path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ]; path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ];
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations"; User = "recurring-donations";
Type = "oneshot"; Type = "oneshot";
} // nix-bitcoin-services.defaultHardening } // nix-bitcoin-services.allowTor;
// nix-bitcoin-services.allowTor;
}; };
systemd.timers.recurring-donations = { systemd.timers.recurring-donations = {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];

5
modules/spark-wallet.nix
View File

@ -71,14 +71,13 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "clightning.service" ] ++ onion-chef-service; requires = [ "clightning.service" ] ++ onion-chef-service;
after = [ "clightning.service" ] ++ onion-chef-service; after = [ "clightning.service" ] ++ onion-chef-service;
serviceConfig = { serviceConfig = nix-bitcoin-services.defaultHardening // {
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}"; ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
User = "spark-wallet"; User = "spark-wallet";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening } // nix-bitcoin-services.nodejs
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor; // nix-bitcoin-services.allowTor;
}; };
nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet"; nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";