Move service hardening flags into separate file

2019-04-27 19:21:45 +00:00 · 2019-04-27 19:21:45 +00:00 · a089d65d25
commit a089d65d25
parent 66095871c6
11 changed files with 33 additions and 54 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.bitcoind;
  pidFile = "${cfg.dataDir}/bitcoind.pid";
  configFile = pkgs.writeText "bitcoin.conf" ''
@ -235,7 +236,7 @@ in {
        # Permission for preStart
        PermissionsStartOnly = "true";
-      };
+      } // nix-bitcoin-services.defaultHardening;
    };
    systemd.services.bitcoind-import-banlist = {
      description = "Bitcoin daemon banlist importer";
@ -269,16 +270,9 @@ in {
        ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
        StateDirectory = "bitcoind";
        # Hardening measures
        PrivateTmp = "true";
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
        MemoryDenyWriteExecute = "true";
        # Permission for preStart
        PermissionsStartOnly = "true";
-      };
+      } // nix-bitcoin-services.defaultHardening;
    };
    users.users.${cfg.user} = {
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.clightning;
  configFile = pkgs.writeText "config" ''
    autolisten=${if cfg.autolisten then "true" else "false"}
@ -93,12 +94,7 @@ in {
        User = "clightning";
        Restart = "on-failure";
        RestartSec = "10s";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
        MemoryDenyWriteExecute = "true";
      };
    };
  };
 }
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.electrs;
  index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
  jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
@ -74,11 +75,7 @@ in {
        User = "electrs";
        Restart = "on-failure";
        RestartSec = "10s";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
      };
    };
    services.nginx = {
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.lightning-charge;
 in {
  options.services.lightning-charge = {
@ -37,11 +38,7 @@ in {
          User = "clightning";
          Restart = "on-failure";
          RestartSec = "10s";
-          PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
          ProtectSystem = "full";
          NoNewPrivileges = "true";
          PrivateDevices = "true";
      };
    };
  };
 }
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.liquidd;
  pidFile = "${cfg.dataDir}/liquidd.pid";
  configFile = pkgs.writeText "liquid.conf" ''
@ -195,16 +196,9 @@ in {
        PIDFile = "${pidFile}";
        Restart = "on-failure";
        # Hardening measures
        PrivateTmp = "true";
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
        MemoryDenyWriteExecute = "true";
        # Permission for preStart
        PermissionsStartOnly = "true";
-      };
+      } // nix-bitcoin-services.defaultHardening;
    };
    users.users.${cfg.user} = {
      name = cfg.user;
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.nanopos;
  defaultItemsFile = pkgs.writeText "items.yaml" ''
    tea:
@ -73,11 +74,7 @@ in {
        User = "nanopos";
        Restart = "on-failure";
        RestartSec = "10s";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
      };
    };
  };
 }
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@ -0,0 +1,12 @@
 {
  defaultHardening = {
      PrivateTmp = "true";
      ProtectSystem = "full";
      NoNewPrivileges = "true";
      PrivateDevices = "true";
      MemoryDenyWriteExecute = "true";
  };
 }
--- a/modules/nix-bitcoin-webindex.nix
+++ b/modules/nix-bitcoin-webindex.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.nix-bitcoin-webindex;
  indexFile = pkgs.writeText "index.html" ''
    <html>
@ -80,7 +81,7 @@ in {
        RemainAfterExit="yes";
        Restart = "on-failure";
        RestartSec = "10s";
-      };
+      } // nix-bitcoin-services.defaultHardening;
    };
  };
 }
--- a/modules/onion-chef.nix
+++ b/modules/onion-chef.nix
@ -8,6 +8,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.onion-chef;
  dataDir = "/var/lib/onion-chef/";
  onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
@ -77,11 +78,7 @@ in {
        ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
        User = "root";
        Type = "oneshot";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
      };
    };
  };
 }
--- a/modules/recurring-donations.nix
+++ b/modules/recurring-donations.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.recurring-donations;
  recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
    LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
@ -88,11 +89,7 @@ in {
        # working inside the shell script
        User = "clightning";
        Type = "oneshot";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
      };
    };
    systemd.timers.recurring-donations = {
      requires = [ "clightning.service" ];
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -3,6 +3,7 @@
 with lib;
 let
  nix-bitcoin-services = import ./nix-bitcoin-services.nix;
  cfg = config.services.spark-wallet;
  dataDir = "/var/lib/spark-wallet/";
  onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
@ -63,11 +64,7 @@ in {
        User = "clightning";
        Restart = "on-failure";
        RestartSec = "10s";
-        PrivateTmp = "true";
+      } // nix-bitcoin-services.defaultHardening;
        ProtectSystem = "full";
        NoNewPrivileges = "true";
        PrivateDevices = "true";
      };
    };
  };
 }