All modules: ProtectSystem = strict
Add ReadWritePaths in all modules, except lnd which has ProtectSystem = full.
This commit is contained in:
parent
adc71b892e
commit
a040e52854
@ -286,6 +286,7 @@ in {
|
|||||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||||
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
else nix-bitcoin-services.allowAnyIP)
|
else nix-bitcoin-services.allowAnyIP)
|
||||||
@ -317,6 +318,7 @@ in {
|
|||||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||||
User = "${cfg.user}";
|
User = "${cfg.user}";
|
||||||
Group = "${cfg.group}";
|
Group = "${cfg.group}";
|
||||||
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
} // nix-bitcoin-services.allowTor;
|
} // nix-bitcoin-services.allowTor;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -102,6 +102,7 @@ in {
|
|||||||
User = "clightning";
|
User = "clightning";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
else nix-bitcoin-services.allowAnyIP
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
@ -97,6 +97,7 @@ in {
|
|||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${config.services.bitcoind.dataDir}" else ""}";
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
else nix-bitcoin-services.allowAnyIP
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
@ -58,6 +58,7 @@ in {
|
|||||||
User = user;
|
User = user;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
} // nix-bitcoin-services.nodejs
|
} // nix-bitcoin-services.nodejs
|
||||||
// nix-bitcoin-services.allowTor;
|
// nix-bitcoin-services.allowTor;
|
||||||
};
|
};
|
||||||
|
@ -224,6 +224,7 @@ in {
|
|||||||
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
|
ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
|
||||||
PIDFile = "${pidFile}";
|
PIDFile = "${pidFile}";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
else nix-bitcoin-services.allowAnyIP
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
@ -106,6 +106,7 @@ in {
|
|||||||
User = "lnd";
|
User = "lnd";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
ProtectSystem = "full"; # ToDo: Make more restrictive
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
else nix-bitcoin-services.allowAnyIP
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
@ -7,7 +7,7 @@ with lib;
|
|||||||
{
|
{
|
||||||
defaultHardening = {
|
defaultHardening = {
|
||||||
PrivateTmp = "true";
|
PrivateTmp = "true";
|
||||||
ProtectSystem = "full";
|
ProtectSystem = "strict";
|
||||||
ProtectHome = "true";
|
ProtectHome = "true";
|
||||||
NoNewPrivileges = "true";
|
NoNewPrivileges = "true";
|
||||||
PrivateDevices = "true";
|
PrivateDevices = "true";
|
||||||
|
@ -92,6 +92,7 @@ in {
|
|||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
PrivateNetwork = "true"; # This service needs no network access
|
PrivateNetwork = "true"; # This service needs no network access
|
||||||
|
ReadWritePaths = "/var/www";
|
||||||
CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
then nix-bitcoin-services.allowTor
|
then nix-bitcoin-services.allowTor
|
||||||
|
@ -81,6 +81,7 @@ in {
|
|||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
PrivateNetwork = "true"; # This service needs no network access
|
PrivateNetwork = "true"; # This service needs no network access
|
||||||
|
ReadWritePaths = "${dataDir}";
|
||||||
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -75,6 +75,7 @@ in {
|
|||||||
User = "spark-wallet";
|
User = "spark-wallet";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = "/var/lib/onion-chef";
|
||||||
} // nix-bitcoin-services.nodejs
|
} // nix-bitcoin-services.nodejs
|
||||||
// nix-bitcoin-services.allowTor;
|
// nix-bitcoin-services.allowTor;
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user