From 7fb1cc1e931601a77dbfa56b0fb01771e930edb4 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 28 Apr 2019 13:11:53 +0000 Subject: [PATCH] Add security section to README --- README.md | 15 ++++++++++++++- docs/install.md | 4 ++++ modules/liquid.nix | 2 -- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 48bd4d1..fbd9ddd 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ nix-bitcoin === -Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols. +Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. This is a work in progress - don't expect it to be bug free or secure. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. @@ -49,6 +49,19 @@ The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin di Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell. See [install.md](docs/install.md) for a detailed tutorial. +Security +--- +* Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches. +* Builds happen in a [sandboxed environment](https://nixos.org/nix/manual/). +* Packages dependencies are [pinned](pkgs/nixpkgs-pinned.nix). Most packages are built from the [nixos stable channel](https://github.com/NixOS/nixpkgs-channels/tree/nixos-19.03), with a few exceptions that are built from the nixpkgs unstable channel. +* nix-bitcoin merge commits are signed. +* nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default. +* Services operate with least privileges. They each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix). +* There's a non-root user *operator* to interact with the various services. + +Note that nix-bitcoin is still experimental. +Also, by design if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself. + Hardware requirements --- * Disk space: 300 GB (235GB for Bitcoin blockchain + some room) diff --git a/docs/install.md b/docs/install.md index 6ac586a..192dabc 100644 --- a/docs/install.md +++ b/docs/install.md @@ -165,6 +165,10 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht swapon /dev/sda2 ``` +4. Option 3: Set up encrypted partitions: + + Follow the guide at https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134. + 5. Generate NixOS config ``` diff --git a/modules/liquid.nix b/modules/liquid.nix index f66b78b..acff282 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -207,7 +207,6 @@ in { }; users.users.${cfg.user} = { name = cfg.user; - #uid = config.ids.uids.liquid; group = cfg.group; extraGroups = [ "keys" ]; description = "Liquid daemon user"; @@ -215,7 +214,6 @@ in { }; users.groups.${cfg.group} = { name = cfg.group; - #gid = config.ids.gids.liquid; }; }; }