From 2ca92a34a5a48b75a6c79d659086664749d04581 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Sat, 30 Jan 2021 23:08:43 +0100 Subject: [PATCH] services: use doas if enabled - Remove sudo from recurring-donations path because it's not used by the service - Use doas instead of sudo in secure-node.nix --- modules/joinmarket.nix | 5 +++-- modules/lnd-rest-onion-service.nix | 3 ++- modules/lnd.nix | 5 +++-- modules/modules.nix | 8 ++++++++ modules/operator.nix | 16 ++++++++++------ modules/presets/secure-node.nix | 4 ++++ modules/recurring-donations.nix | 2 +- 7 files changed, 31 insertions(+), 12 deletions(-) diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 5263097..80da753 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -7,6 +7,7 @@ let nbLib = config.nix-bitcoin.lib; nbPkgs = config.nix-bitcoin.pkgs; secretsDir = config.nix-bitcoin.secretsDir; + runAsUser = config.nix-bitcoin.runAsUserCmd; inherit (config.services) bitcoind; torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress); @@ -84,7 +85,7 @@ let for bin in jm-*; do { echo "#!${pkgs.bash}/bin/bash"; - echo "cd '${cfg.dataDir}' && ${cfg.cliExec} sudo -u ${cfg.user} $jm/$bin --datadir='${cfg.dataDir}' \"\$@\""; + echo "cd '${cfg.dataDir}' && ${cfg.cliExec} ${runAsUser} ${cfg.user} $jm/$bin --datadir='${cfg.dataDir}' \"\$@\""; } > $out/bin/$bin done chmod -R +x $out/bin @@ -211,7 +212,7 @@ in { users.groups.${cfg.group} = {}; nix-bitcoin.operator = { groups = [ cfg.group ]; - sudoUsers = [ cfg.group ]; + allowRunAsUsers = [ cfg.group ]; }; nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; diff --git a/modules/lnd-rest-onion-service.nix b/modules/lnd-rest-onion-service.nix index 8e182f1..9af27c0 100644 --- a/modules/lnd-rest-onion-service.nix +++ b/modules/lnd-rest-onion-service.nix @@ -6,11 +6,12 @@ let cfg = config.services.lnd.restOnionService; nbLib = config.nix-bitcoin.lib; secretsDir = config.nix-bitcoin.secretsDir; + runAsUser = config.nix-bitcoin.runAsUserCmd; lnd = config.services.lnd; bin = pkgs.writeScriptBin "lndconnect-rest-onion" '' - #!/usr/bin/env -S sudo -u lnd ${pkgs.bash}/bin/bash + #!/usr/bin/env -S ${runAsUser} lnd ${pkgs.bash}/bin/bash exec ${cfg.package}/bin/lndconnect \ --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \ diff --git a/modules/lnd.nix b/modules/lnd.nix index 930d7d4..e051a29 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -6,6 +6,7 @@ let cfg = config.services.lnd; nbLib = config.nix-bitcoin.lib; secretsDir = config.nix-bitcoin.secretsDir; + runAsUser = config.nix-bitcoin.runAsUserCmd; bitcoind = config.services.bitcoind; bitcoindRpcAddress = bitcoind.rpc.address; @@ -123,7 +124,7 @@ in { default = pkgs.writeScriptBin "lncli" # Switch user because lnd makes datadir contents readable by user only '' - sudo -u lnd ${cfg.package}/bin/lncli \ + ${runAsUser} lnd ${cfg.package}/bin/lncli \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --tlscertpath '${secretsDir}/lnd-cert' \ --macaroonpath '${networkDir}/admin.macaroon' "$@" @@ -270,7 +271,7 @@ in { users.groups.lnd = {}; nix-bitcoin.operator = { groups = [ "lnd" ]; - sudoUsers = [ "lnd" ]; + allowRunAsUsers = [ "lnd" ]; }; nix-bitcoin.secrets = { diff --git a/modules/modules.nix b/modules/modules.nix index 548bc37..b409f2e 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -57,6 +57,14 @@ with lib; "$@" ''; }; + + # A helper for using doas instead of sudo when doas is enabled + runAsUserCmd = mkOption { + readOnly = true; + default = if config.security.doas.enable + then "doas -u" + else "sudo -u"; + }; }; }; diff --git a/modules/operator.nix b/modules/operator.nix index a7a7361..4be5eb9 100644 --- a/modules/operator.nix +++ b/modules/operator.nix @@ -22,7 +22,7 @@ in { default = []; description = "Extra groups."; }; - sudoUsers = mkOption { + allowRunAsUsers = mkOption { type = with types; listOf str; default = []; description = "Users as which the operator is allowed to run commands."; @@ -38,10 +38,14 @@ in { ] ++ cfg.groups; }; - security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let - users = builtins.concatStringsSep "," cfg.sudoUsers; - in '' - ${cfg.name} ALL=(${users}) NOPASSWD: ALL - ''); + security = mkIf (cfg.allowRunAsUsers != []) { + # Use doas instead of sudo if enabled + doas.extraConfig = mkIf config.security.doas.enable '' + ${lib.concatMapStrings (user: "permit nopass ${cfg.name} as ${user}\n") cfg.allowRunAsUsers} + ''; + sudo.extraConfig = mkIf (!config.security.doas.enable) '' + ${cfg.name} ALL=(${builtins.concatStringsSep "," cfg.allowRunAsUsers}) NOPASSWD: ALL + ''; + }; }; } diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index cf09b60..1c631da 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -20,6 +20,10 @@ in { nix-bitcoin.security.hideProcessInformation = true; + # Use doas instead of sudo + security.doas.enable = true; + security.sudo.enable = false; + environment.systemPackages = with pkgs; [ jq ]; diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index f1fa533..d4351d2 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -78,7 +78,7 @@ in { systemd.services.recurring-donations = { requires = [ "clightning.service" ]; after = [ "clightning.service" ]; - path = with pkgs; [ nix-bitcoin.clightning curl sudo jq ]; + path = with pkgs; [ nix-bitcoin.clightning curl jq ]; serviceConfig = nbLib.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; User = "recurring-donations";