Move service hardening flags into separate file

This commit is contained in:
Jonas Nick 2019-04-27 19:21:45 +00:00
parent 66095871c6
commit a089d65d25
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
11 changed files with 33 additions and 54 deletions

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.bitcoind; cfg = config.services.bitcoind;
pidFile = "${cfg.dataDir}/bitcoind.pid"; pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" '' configFile = pkgs.writeText "bitcoin.conf" ''
@ -235,7 +236,7 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
}; } // nix-bitcoin-services.defaultHardening;
}; };
systemd.services.bitcoind-import-banlist = { systemd.services.bitcoind-import-banlist = {
description = "Bitcoin daemon banlist importer"; description = "Bitcoin daemon banlist importer";
@ -269,16 +270,9 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}"; ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
StateDirectory = "bitcoind"; StateDirectory = "bitcoind";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
}; } // nix-bitcoin-services.defaultHardening;
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.clightning; cfg = config.services.clightning;
configFile = pkgs.writeText "config" '' configFile = pkgs.writeText "config" ''
autolisten=${if cfg.autolisten then "true" else "false"} autolisten=${if cfg.autolisten then "true" else "false"}
@ -93,12 +94,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
};
}; };
}; };
} }

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.electrs; cfg = config.services.electrs;
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
@ -74,11 +75,7 @@ in {
User = "electrs"; User = "electrs";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
services.nginx = { services.nginx = {

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.lightning-charge; cfg = config.services.lightning-charge;
in { in {
options.services.lightning-charge = { options.services.lightning-charge = {
@ -37,11 +38,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
}; };
} }

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.liquidd; cfg = config.services.liquidd;
pidFile = "${cfg.dataDir}/liquidd.pid"; pidFile = "${cfg.dataDir}/liquidd.pid";
configFile = pkgs.writeText "liquid.conf" '' configFile = pkgs.writeText "liquid.conf" ''
@ -195,16 +196,9 @@ in {
PIDFile = "${pidFile}"; PIDFile = "${pidFile}";
Restart = "on-failure"; Restart = "on-failure";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
}; } // nix-bitcoin-services.defaultHardening;
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
name = cfg.user; name = cfg.user;

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.nanopos; cfg = config.services.nanopos;
defaultItemsFile = pkgs.writeText "items.yaml" '' defaultItemsFile = pkgs.writeText "items.yaml" ''
tea: tea:
@ -73,11 +74,7 @@ in {
User = "nanopos"; User = "nanopos";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
}; };
} }

View File

@ -0,0 +1,12 @@
{
defaultHardening = {
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
};
}

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.nix-bitcoin-webindex; cfg = config.services.nix-bitcoin-webindex;
indexFile = pkgs.writeText "index.html" '' indexFile = pkgs.writeText "index.html" ''
<html> <html>
@ -80,7 +81,7 @@ in {
RemainAfterExit="yes"; RemainAfterExit="yes";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
}; } // nix-bitcoin-services.defaultHardening;
}; };
}; };
} }

View File

@ -8,6 +8,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.onion-chef; cfg = config.services.onion-chef;
dataDir = "/var/lib/onion-chef/"; dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" '' onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
@ -77,11 +78,7 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
User = "root"; User = "root";
Type = "oneshot"; Type = "oneshot";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
}; };
} }

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.recurring-donations; cfg = config.services.recurring-donations;
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" '' recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}" LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
@ -88,11 +89,7 @@ in {
# working inside the shell script # working inside the shell script
User = "clightning"; User = "clightning";
Type = "oneshot"; Type = "oneshot";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
systemd.timers.recurring-donations = { systemd.timers.recurring-donations = {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];

View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.spark-wallet; cfg = config.services.spark-wallet;
dataDir = "/var/lib/spark-wallet/"; dataDir = "/var/lib/spark-wallet/";
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
@ -63,11 +64,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
PrivateTmp = "true"; } // nix-bitcoin-services.defaultHardening;
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
}; };
}; };
} }