greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use IPAddress{Allow,Deny} by default for systemd services

This commit is contained in:
Jonas Nick 2019-04-27 23:53:26 +00:00
parent d9533edad1
commit eaaf8e9aab
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
12 changed files with 79 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
modules/bitcoind.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.bitcoind;
pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" ''
@ -193,6 +193,7 @@ in {
to stay under the specified target size in MiB)
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
};
@ -236,7 +237,11 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
systemd.services.bitcoind-import-banlist = {
description = "Bitcoin daemon banlist importer";
@ -272,7 +277,8 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
};
users.users.${cfg.user} = {

9
modules/clightning.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.clightning;
configFile = pkgs.writeText "config" ''
autolisten=${if cfg.autolisten then "true" else "false"}
@ -57,6 +57,7 @@ in {
default = "/var/lib/clightning";
description = "The data directory for clightning.";
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@ -94,7 +95,11 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
};
}

9
modules/electrs.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.electrs;
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
@ -43,6 +43,7 @@ in {
default = 50003;
description = "Override the default port on which to listen for connections.";
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@ -75,7 +76,11 @@ in {
User = "electrs";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
services.nginx = {

6
modules/lightning-charge.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.lightning-charge;
in {
options.services.lightning-charge = {
@ -38,7 +38,9 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening;
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
};
};
}

9
modules/liquid.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.liquidd;
pidFile = "${cfg.dataDir}/liquidd.pid";
configFile = pkgs.writeText "liquid.conf" ''
@ -166,6 +166,7 @@ in {
to stay under the specified target size in MiB)
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
};
@ -198,7 +199,11 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
users.users.${cfg.user} = {
name = cfg.user;

6
modules/nanopos.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nanopos;
defaultItemsFile = pkgs.writeText "items.yaml" ''
tea:
@ -74,7 +74,9 @@ in {
User = "nanopos";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening;
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
};
};
}

20
modules/nix-bitcoin-services.nix
View File

@ -1,3 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
defaultHardening = {
PrivateTmp = "true";
@ -11,12 +15,26 @@ let
ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
LockPersonality = "true";
IPAddressDeny = "any";
};
in
{
inherit defaultHardening;
# node applications apparently rely on memory write execute
nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
node = { MemoryDenyWriteExecute = "false"; };
# Allow tor traffic. Allow takes precedence over Deny.
allowTor = { IPAddressAllow = "127.0.0.1/32"; };
# Allow any traffic
allowAnyIP = { IPAddressAllow = "any"; };
enforceTor = mkOption {
type = types.bool;
default = false;
description = ''
"Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;";
'';
};
}

9
modules/nix-bitcoin-webindex.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nix-bitcoin-webindex;
indexFile = pkgs.writeText "index.html" ''
<html>
@ -44,6 +44,7 @@ in {
If enabled, the webindex service will be installed.
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@ -81,7 +82,11 @@ in {
RemainAfterExit="yes";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
};
}

8
modules/nix-bitcoin.nix
View File

@ -60,6 +60,7 @@ in {
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.enforceTor = true;
services.bitcoind.port = 8333;
services.bitcoind.rpcuser = "bitcoinrpc";
services.bitcoind.extraConfig = ''
@ -82,6 +83,7 @@ in {
# clightning
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.proxy = config.services.tor.client.socksListenAddress;
services.clightning.enforceTor = true;
services.clightning.always-use-proxy = true;
services.clightning.bind-addr = "127.0.0.1:9735";
services.tor.hiddenServices.clightning = {
@ -128,6 +130,8 @@ in {
};
};
services.nix-bitcoin-webindex.enforceTor = true;
services.liquidd.rpcuser = "liquidrpc";
services.liquidd.prune = 1000;
services.liquidd.extraConfig = "
@ -136,6 +140,7 @@ in {
";
services.liquidd.listen = true;
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
services.liquidd.enforceTor = true;
services.liquidd.port = 7042;
services.tor.hiddenServices.liquidd = {
map = [{
@ -143,9 +148,10 @@ in {
}];
version = 3;
};
services.spark-wallet.onion-service = true;
services.electrs.port = 50001;
services.electrs.enforceTor = true;
services.electrs.onionport = 50002;
services.electrs.nginxport = 50003;
services.electrs.high-memory = false;

2
modules/onion-chef.nix
View File

@ -8,7 +8,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.onion-chef;
dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''

5
modules/recurring-donations.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.recurring-donations;
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
@ -89,7 +89,8 @@ in {
# working inside the shell script
User = "clightning";
Type = "oneshot";
} // nix-bitcoin-services.defaultHardening;
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

6
modules/spark-wallet.nix
View File

@ -3,7 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.spark-wallet;
dataDir = "/var/lib/spark-wallet/";
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
@ -64,7 +64,9 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening;
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
};
};
}