All modules: ProtectSystem = strict

Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
This commit is contained in:
nixbitcoin 2020-05-05 17:15:16 +02:00
parent adc71b892e
commit a040e52854
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
10 changed files with 11 additions and 1 deletions

View File

@ -286,6 +286,7 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027"; UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP) else nix-bitcoin-services.allowAnyIP)
@ -317,6 +318,7 @@ in {
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.allowTor; } // nix-bitcoin-services.allowTor;
}; };

View File

@ -102,6 +102,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP

View File

@ -97,6 +97,7 @@ in {
Group = cfg.group; Group = cfg.group;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${config.services.bitcoind.dataDir}" else ""}";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP

View File

@ -58,6 +58,7 @@ in {
User = user; User = user;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = "${cfg.dataDir}";
} // nix-bitcoin-services.nodejs } // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor; // nix-bitcoin-services.allowTor;
}; };

View File

@ -224,6 +224,7 @@ in {
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}"; ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
PIDFile = "${pidFile}"; PIDFile = "${pidFile}";
Restart = "on-failure"; Restart = "on-failure";
ReadWritePaths = "${cfg.dataDir}";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP

View File

@ -106,6 +106,7 @@ in {
User = "lnd"; User = "lnd";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ProtectSystem = "full"; # ToDo: Make more restrictive
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP else nix-bitcoin-services.allowAnyIP

View File

@ -7,7 +7,7 @@ with lib;
{ {
defaultHardening = { defaultHardening = {
PrivateTmp = "true"; PrivateTmp = "true";
ProtectSystem = "full"; ProtectSystem = "strict";
ProtectHome = "true"; ProtectHome = "true";
NoNewPrivileges = "true"; NoNewPrivileges = "true";
PrivateDevices = "true"; PrivateDevices = "true";

View File

@ -92,6 +92,7 @@ in {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateNetwork = "true"; # This service needs no network access PrivateNetwork = "true"; # This service needs no network access
ReadWritePaths = "/var/www";
CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
} // (if cfg.enforceTor } // (if cfg.enforceTor
then nix-bitcoin-services.allowTor then nix-bitcoin-services.allowTor

View File

@ -81,6 +81,7 @@ in {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
PrivateNetwork = "true"; # This service needs no network access PrivateNetwork = "true"; # This service needs no network access
ReadWritePaths = "${dataDir}";
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
}; };
}; };

View File

@ -75,6 +75,7 @@ in {
User = "spark-wallet"; User = "spark-wallet";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = "/var/lib/onion-chef";
} // nix-bitcoin-services.nodejs } // nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor; // nix-bitcoin-services.allowTor;
}; };