diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index bf44035..ded8ce4 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.bitcoind; pidFile = "${cfg.dataDir}/bitcoind.pid"; configFile = pkgs.writeText "bitcoin.conf" '' @@ -235,7 +236,7 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; systemd.services.bitcoind-import-banlist = { description = "Bitcoin daemon banlist importer"; @@ -269,16 +270,9 @@ in { ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}"; StateDirectory = "bitcoind"; - # Hardening measures - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - MemoryDenyWriteExecute = "true"; - # Permission for preStart PermissionsStartOnly = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; users.users.${cfg.user} = { diff --git a/modules/clightning.nix b/modules/clightning.nix index 6d02cb4..10f1b3b 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.clightning; configFile = pkgs.writeText "config" '' autolisten=${if cfg.autolisten then "true" else "false"} @@ -93,12 +94,7 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - MemoryDenyWriteExecute = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; } diff --git a/modules/electrs.nix b/modules/electrs.nix index bb9795a..bf4b850 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.electrs; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; @@ -74,11 +75,7 @@ in { User = "electrs"; Restart = "on-failure"; RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; services.nginx = { diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 277d5f3..612c6c9 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.lightning-charge; in { options.services.lightning-charge = { @@ -37,11 +38,7 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; } diff --git a/modules/liquid.nix b/modules/liquid.nix index 7b7bd6b..2112c37 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.liquidd; pidFile = "${cfg.dataDir}/liquidd.pid"; configFile = pkgs.writeText "liquid.conf" '' @@ -195,16 +196,9 @@ in { PIDFile = "${pidFile}"; Restart = "on-failure"; - # Hardening measures - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - MemoryDenyWriteExecute = "true"; - # Permission for preStart PermissionsStartOnly = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; users.users.${cfg.user} = { name = cfg.user; diff --git a/modules/nanopos.nix b/modules/nanopos.nix index e018182..ef1d356 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.nanopos; defaultItemsFile = pkgs.writeText "items.yaml" '' tea: @@ -73,11 +74,7 @@ in { User = "nanopos"; Restart = "on-failure"; RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; } diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix new file mode 100644 index 0000000..c4fac75 --- /dev/null +++ b/modules/nix-bitcoin-services.nix @@ -0,0 +1,12 @@ +{ + defaultHardening = { + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; +} + + + diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix index c8748a4..8cd7e74 100644 --- a/modules/nix-bitcoin-webindex.nix +++ b/modules/nix-bitcoin-webindex.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.nix-bitcoin-webindex; indexFile = pkgs.writeText "index.html" '' @@ -80,7 +81,7 @@ in { RemainAfterExit="yes"; Restart = "on-failure"; RestartSec = "10s"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; } diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix index 9a71e0b..71628ed 100644 --- a/modules/onion-chef.nix +++ b/modules/onion-chef.nix @@ -8,6 +8,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.onion-chef; dataDir = "/var/lib/onion-chef/"; onion-chef-script = pkgs.writeScript "onion-chef.sh" '' @@ -77,11 +78,7 @@ in { ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; User = "root"; Type = "oneshot"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; } diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 00384bc..6d770cf 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.recurring-donations; recurring-donations-script = pkgs.writeScript "recurring-donations.sh" '' LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}" @@ -88,11 +89,7 @@ in { # working inside the shell script User = "clightning"; Type = "oneshot"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; systemd.timers.recurring-donations = { requires = [ "clightning.service" ]; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index d727e16..7ed7a64 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -3,6 +3,7 @@ with lib; let + nix-bitcoin-services = import ./nix-bitcoin-services.nix; cfg = config.services.spark-wallet; dataDir = "/var/lib/spark-wallet/"; onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); @@ -63,11 +64,7 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - PrivateTmp = "true"; - ProtectSystem = "full"; - NoNewPrivileges = "true"; - PrivateDevices = "true"; - }; + } // nix-bitcoin-services.defaultHardening; }; }; }