diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index ded8ce4..38f4f7c 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.bitcoind; pidFile = "${cfg.dataDir}/bitcoind.pid"; configFile = pkgs.writeText "bitcoin.conf" '' @@ -193,6 +193,7 @@ in { to stay under the specified target size in MiB) ''; }; + enforceTor = nix-bitcoin-services.enforceTor; }; }; @@ -236,7 +237,11 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP + ); }; systemd.services.bitcoind-import-banlist = { description = "Bitcoin daemon banlist importer"; @@ -272,7 +277,8 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // nix-bitcoin-services.allowTor; }; users.users.${cfg.user} = { diff --git a/modules/clightning.nix b/modules/clightning.nix index 10f1b3b..235be41 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.clightning; configFile = pkgs.writeText "config" '' autolisten=${if cfg.autolisten then "true" else "false"} @@ -57,6 +57,7 @@ in { default = "/var/lib/clightning"; description = "The data directory for clightning."; }; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -94,7 +95,11 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP + ); }; }; } diff --git a/modules/electrs.nix b/modules/electrs.nix index bf4b850..524bbd1 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.electrs; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; @@ -43,6 +43,7 @@ in { default = 50003; description = "Override the default port on which to listen for connections."; }; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -75,7 +76,11 @@ in { User = "electrs"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP + ); }; services.nginx = { diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 629eb81..a6d6b19 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.lightning-charge; in { options.services.lightning-charge = { @@ -38,7 +38,9 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.nodeHardening; + } // nix-bitcoin-services.defaultHardening + // nix-bitcoin-services.node + // nix-bitcoin-services.allowTor; }; }; } diff --git a/modules/liquid.nix b/modules/liquid.nix index 2112c37..f66b78b 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.liquidd; pidFile = "${cfg.dataDir}/liquidd.pid"; configFile = pkgs.writeText "liquid.conf" '' @@ -166,6 +166,7 @@ in { to stay under the specified target size in MiB) ''; }; + enforceTor = nix-bitcoin-services.enforceTor; }; }; @@ -198,7 +199,11 @@ in { # Permission for preStart PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP + ); }; users.users.${cfg.user} = { name = cfg.user; diff --git a/modules/nanopos.nix b/modules/nanopos.nix index 67c872d..729f65c 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.nanopos; defaultItemsFile = pkgs.writeText "items.yaml" '' tea: @@ -74,7 +74,9 @@ in { User = "nanopos"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.nodeHardening; + } // nix-bitcoin-services.defaultHardening + // nix-bitcoin-services.node + // nix-bitcoin-services.allowTor; }; }; } diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix index c3150df..9ed5926 100644 --- a/modules/nix-bitcoin-services.nix +++ b/modules/nix-bitcoin-services.nix @@ -1,3 +1,7 @@ +{ config, lib, pkgs, ... }: + +with lib; + let defaultHardening = { PrivateTmp = "true"; @@ -11,12 +15,26 @@ let ProtectControlGroups = "true"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; LockPersonality = "true"; + IPAddressDeny = "any"; }; in { inherit defaultHardening; # node applications apparently rely on memory write execute - nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; }; + node = { MemoryDenyWriteExecute = "false"; }; + # Allow tor traffic. Allow takes precedence over Deny. + allowTor = { IPAddressAllow = "127.0.0.1/32"; }; + # Allow any traffic + allowAnyIP = { IPAddressAllow = "any"; }; + + enforceTor = mkOption { + type = types.bool; + default = false; + description = '' + "Whether to force Tor on a service by only allowing connections from and + to 127.0.0.1;"; + ''; + }; } diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix index 8cd7e74..96849bf 100644 --- a/modules/nix-bitcoin-webindex.nix +++ b/modules/nix-bitcoin-webindex.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.nix-bitcoin-webindex; indexFile = pkgs.writeText "index.html" '' @@ -44,6 +44,7 @@ in { If enabled, the webindex service will be installed. ''; }; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -81,7 +82,11 @@ in { RemainAfterExit="yes"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // (if cfg.enforceTor + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP + ); }; }; } diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index ac277f9..55fc4df 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -60,6 +60,7 @@ in { services.bitcoind.sysperms = if config.services.electrs.enable then true else null; services.bitcoind.disablewallet = if config.services.electrs.enable then true else null; services.bitcoind.proxy = config.services.tor.client.socksListenAddress; + services.bitcoind.enforceTor = true; services.bitcoind.port = 8333; services.bitcoind.rpcuser = "bitcoinrpc"; services.bitcoind.extraConfig = '' @@ -82,6 +83,7 @@ in { # clightning services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser; services.clightning.proxy = config.services.tor.client.socksListenAddress; + services.clightning.enforceTor = true; services.clightning.always-use-proxy = true; services.clightning.bind-addr = "127.0.0.1:9735"; services.tor.hiddenServices.clightning = { @@ -128,6 +130,8 @@ in { }; }; + services.nix-bitcoin-webindex.enforceTor = true; + services.liquidd.rpcuser = "liquidrpc"; services.liquidd.prune = 1000; services.liquidd.extraConfig = " @@ -136,6 +140,7 @@ in { "; services.liquidd.listen = true; services.liquidd.proxy = config.services.tor.client.socksListenAddress; + services.liquidd.enforceTor = true; services.liquidd.port = 7042; services.tor.hiddenServices.liquidd = { map = [{ @@ -143,9 +148,10 @@ in { }]; version = 3; }; - + services.spark-wallet.onion-service = true; services.electrs.port = 50001; + services.electrs.enforceTor = true; services.electrs.onionport = 50002; services.electrs.nginxport = 50003; services.electrs.high-memory = false; diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix index 71628ed..c222015 100644 --- a/modules/onion-chef.nix +++ b/modules/onion-chef.nix @@ -8,7 +8,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.onion-chef; dataDir = "/var/lib/onion-chef/"; onion-chef-script = pkgs.writeScript "onion-chef.sh" '' diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 6d770cf..a4f46b0 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.recurring-donations; recurring-donations-script = pkgs.writeScript "recurring-donations.sh" '' LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}" @@ -89,7 +89,8 @@ in { # working inside the shell script User = "clightning"; Type = "oneshot"; - } // nix-bitcoin-services.defaultHardening; + } // nix-bitcoin-services.defaultHardening + // nix-bitcoin-services.allowTor; }; systemd.timers.recurring-donations = { requires = [ "clightning.service" ]; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index 817c377..2a6de71 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -3,7 +3,7 @@ with lib; let - nix-bitcoin-services = import ./nix-bitcoin-services.nix; + nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { }; cfg = config.services.spark-wallet; dataDir = "/var/lib/spark-wallet/"; onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); @@ -64,7 +64,9 @@ in { User = "clightning"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.nodeHardening; + } // nix-bitcoin-services.defaultHardening + // nix-bitcoin-services.node + // nix-bitcoin-services.allowTor; }; }; }