greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
748 Commits 8 Branches 0 Tags 4.1 MiB
1e18d3ea3b
Commit Graph

22 Commits

Author SHA1 Message Date
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper 2020-09-22 13:43:15 +00:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions 
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
 2020-08-25 11:40:27 +02:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture 
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
 2020-07-21 09:38:20 +00:00
nixbitcoin
ccc3a70344
service hardening: add more restrictions 
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
 2020-05-24 11:14:45 +00:00
nixbitcoin
3fbfa98635
service hardening: replace obtuse SystemCallFilter with @system-service 
@system-service whitelist and additional
https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
blacklist.
 2020-05-24 11:14:37 +00:00
nixbitcoin
e34d1c884e
service hardening: Add PrivateUsers 
Exceptions in webindex & onion-chef
 2020-05-22 16:16:19 +00:00
Erik Arvstedt
5f3f362451
lnd: add strict hardening 
Add ProtectSystem=strict, remove PermissionStartOnly.

Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.

Simplify preStart and fix dataDir quoting.
 2020-05-22 16:13:58 +00:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict 
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
 2020-05-22 15:47:01 +00:00
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets 
Whitelist with exceptions in webindex and onion-chef
 2020-05-22 11:29:54 +00:00
Erik Arvstedt
f0a36fe0c7
add 'nix-bitcoin-services' option 
1. Makes the content easily accessible for module users
2. Avoids needlessly recalculating the attrset in every client module
 2020-01-12 20:02:00 +01:00
Erik Arvstedt
7aaf30501c
nix-bitcoin-services: simplify formatting 2020-01-09 10:43:30 +01:00
Jonas Nick
5f567ee1ed
Merge #113: Simplify clightning preStart 
67a464d097 Mention problems with hardened kernel and NUCs in README (Jonas Nick)
7771a4c931 Refer to systemd man pages for hardening options (Jonas Nick)
a5e10a82d8 Simplify clightning preStart (Jonas Nick)

Pull request description:

  CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: aa726f29e499cc268b21cac8cd07617be591cfdaa89dd0495cb979ebd3e49cc01164af25924c554429a1d35d14167dea276f7d61877452b69f027143cc3eee97
 2019-08-21 14:58:22 +00:00
Jonas Nick
1c8dadd876
Add allowAnyProtocol option to nix-bitcoin-services 2019-08-19 21:11:08 +00:00
Jonas Nick
7771a4c931
Refer to systemd man pages for hardening options 2019-08-19 20:44:10 +00:00
Ștefan D. Mihăilă
cd722cac1a
Fix identation 2019-08-18 12:53:08 +02:00
nixbitcoin
7416ec4a29
Limit syscalls with Docker whitelist 2019-05-10 12:42:06 +02:00
Jonas Nick
e1ee5023e2
Rename service settings for 'node' to 'nodejs' to avoid confusion 2019-05-03 10:44:16 +00:00
Jonas Nick
469c1de6a9
Fix electrum after disallowing anything but localhost by adding ipv6 local address 2019-04-28 18:54:13 +00:00
Jonas Nick
6f8dac6e07
Restrict namespaces for systemd services by default 2019-04-28 13:15:17 +00:00
Jonas Nick
eaaf8e9aab
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-28 13:15:17 +00:00
Jonas Nick
d9533edad1
Fix memory deny write execute for nodejs services 2019-04-28 13:15:16 +00:00
Jonas Nick
a089d65d25
Move service hardening flags into separate file 2019-04-28 13:15:12 +00:00