greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

All modules: ProtectSystem = strict 

Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
This commit is contained in:
nixbitcoin 2020-05-05 17:15:16 +02:00
parent adc71b892e
commit a040e52854
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
10 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/bitcoind.nix
View File

@ -286,6 +286,7 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP)
@ -317,6 +318,7 @@ in {
serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}";
Group = "${cfg.group}";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.allowTor;
};

1
modules/clightning.nix
View File

@ -102,6 +102,7 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP

1
modules/electrs.nix
View File

@ -97,6 +97,7 @@ in {
Group = cfg.group;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${config.services.bitcoind.dataDir}" else ""}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP

1
modules/lightning-charge.nix
View File

@ -58,6 +58,7 @@ in {
User = user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};

1
modules/liquid.nix
View File

@ -224,6 +224,7 @@ in {
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
PIDFile = "${pidFile}";
Restart = "on-failure";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP

1
modules/lnd.nix
View File

@ -106,6 +106,7 @@ in {
User = "lnd";
Restart = "on-failure";
RestartSec = "10s";
ProtectSystem = "full"; # ToDo: Make more restrictive
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP

2
modules/nix-bitcoin-services.nix
View File

@ -7,7 +7,7 @@ with lib;
{
defaultHardening = {
PrivateTmp = "true";
ProtectSystem = "full";
ProtectSystem = "strict";
ProtectHome = "true";
NoNewPrivileges = "true";
PrivateDevices = "true";

1
modules/nix-bitcoin-webindex.nix
View File

@ -92,6 +92,7 @@ in {
Restart = "on-failure";
RestartSec = "10s";
PrivateNetwork = "true"; # This service needs no network access
ReadWritePaths = "/var/www";
CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
} // (if cfg.enforceTor
then nix-bitcoin-services.allowTor

1
modules/onion-chef.nix
View File

@ -81,6 +81,7 @@ in {
Type = "oneshot";
RemainAfterExit = true;
PrivateNetwork = "true"; # This service needs no network access
ReadWritePaths = "${dataDir}";
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
};
};

1
modules/spark-wallet.nix
View File

@ -75,6 +75,7 @@ in {
User = "spark-wallet";
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = "/var/lib/onion-chef";
} // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};