greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

services: use doas if enabled

Browse Source 
- Remove sudo from recurring-donations path because it's not used by
  the service

- Use doas instead of sudo in secure-node.nix
This commit is contained in:
nixbitcoin 2021-01-30 23:08:43 +01:00
parent ce2b445777
commit 2ca92a34a5
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
7 changed files with 31 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/joinmarket.nix
View File

@ -7,6 +7,7 @@ let
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs; nbPkgs = config.nix-bitcoin.pkgs;
secretsDir = config.nix-bitcoin.secretsDir; secretsDir = config.nix-bitcoin.secretsDir;
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services) bitcoind; inherit (config.services) bitcoind;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress); torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
@ -84,7 +85,7 @@ let
for bin in jm-*; do for bin in jm-*; do
{ {
echo "#!${pkgs.bash}/bin/bash"; echo "#!${pkgs.bash}/bin/bash";
echo "cd '${cfg.dataDir}' && ${cfg.cliExec} sudo -u ${cfg.user} $jm/$bin --datadir='${cfg.dataDir}' \"\$@\""; echo "cd '${cfg.dataDir}' && ${cfg.cliExec} ${runAsUser} ${cfg.user} $jm/$bin --datadir='${cfg.dataDir}' \"\$@\"";
} > $out/bin/$bin } > $out/bin/$bin
done done
chmod -R +x $out/bin chmod -R +x $out/bin
@ -211,7 +212,7 @@ in {
users.groups.${cfg.group} = {}; users.groups.${cfg.group} = {};
nix-bitcoin.operator = { nix-bitcoin.operator = {
groups = [ cfg.group ]; groups = [ cfg.group ];
sudoUsers = [ cfg.group ]; allowRunAsUsers = [ cfg.group ];
}; };
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;

3
modules/lnd-rest-onion-service.nix
View File

@ -6,11 +6,12 @@ let
cfg = config.services.lnd.restOnionService; cfg = config.services.lnd.restOnionService;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir; secretsDir = config.nix-bitcoin.secretsDir;
runAsUser = config.nix-bitcoin.runAsUserCmd;
lnd = config.services.lnd; lnd = config.services.lnd;
bin = pkgs.writeScriptBin "lndconnect-rest-onion" '' bin = pkgs.writeScriptBin "lndconnect-rest-onion" ''
#!/usr/bin/env -S sudo -u lnd ${pkgs.bash}/bin/bash #!/usr/bin/env -S ${runAsUser} lnd ${pkgs.bash}/bin/bash
exec ${cfg.package}/bin/lndconnect \ exec ${cfg.package}/bin/lndconnect \
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \ --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \

5
modules/lnd.nix
View File

@ -6,6 +6,7 @@ let
cfg = config.services.lnd; cfg = config.services.lnd;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir; secretsDir = config.nix-bitcoin.secretsDir;
runAsUser = config.nix-bitcoin.runAsUserCmd;
bitcoind = config.services.bitcoind; bitcoind = config.services.bitcoind;
bitcoindRpcAddress = bitcoind.rpc.address; bitcoindRpcAddress = bitcoind.rpc.address;
@ -123,7 +124,7 @@ in {
default = pkgs.writeScriptBin "lncli" default = pkgs.writeScriptBin "lncli"
# Switch user because lnd makes datadir contents readable by user only # Switch user because lnd makes datadir contents readable by user only
'' ''
sudo -u lnd ${cfg.package}/bin/lncli \ ${runAsUser} lnd ${cfg.package}/bin/lncli \
--rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
--tlscertpath '${secretsDir}/lnd-cert' \ --tlscertpath '${secretsDir}/lnd-cert' \
--macaroonpath '${networkDir}/admin.macaroon' "$@" --macaroonpath '${networkDir}/admin.macaroon' "$@"
@ -270,7 +271,7 @@ in {
users.groups.lnd = {}; users.groups.lnd = {};
nix-bitcoin.operator = { nix-bitcoin.operator = {
groups = [ "lnd" ]; groups = [ "lnd" ];
sudoUsers = [ "lnd" ]; allowRunAsUsers = [ "lnd" ];
}; };
nix-bitcoin.secrets = { nix-bitcoin.secrets = {

8
modules/modules.nix
View File

@ -57,6 +57,14 @@ with lib;
"$@" "$@"
''; '';
}; };
# A helper for using doas instead of sudo when doas is enabled
runAsUserCmd = mkOption {
readOnly = true;
default = if config.security.doas.enable
then "doas -u"
else "sudo -u";
};
}; };
}; };

16
modules/operator.nix
View File

@ -22,7 +22,7 @@ in {
default = []; default = [];
description = "Extra groups."; description = "Extra groups.";
}; };
sudoUsers = mkOption { allowRunAsUsers = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = []; default = [];
description = "Users as which the operator is allowed to run commands."; description = "Users as which the operator is allowed to run commands.";
@ -38,10 +38,14 @@ in {
] ++ cfg.groups; ] ++ cfg.groups;
}; };
security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let security = mkIf (cfg.allowRunAsUsers != []) {
users = builtins.concatStringsSep "," cfg.sudoUsers; # Use doas instead of sudo if enabled
in '' doas.extraConfig = mkIf config.security.doas.enable ''
${cfg.name} ALL=(${users}) NOPASSWD: ALL ${lib.concatMapStrings (user: "permit nopass ${cfg.name} as ${user}\n") cfg.allowRunAsUsers}
''); '';
sudo.extraConfig = mkIf (!config.security.doas.enable) ''
${cfg.name} ALL=(${builtins.concatStringsSep "," cfg.allowRunAsUsers}) NOPASSWD: ALL
'';
};
}; };
} }

4
modules/presets/secure-node.nix
View File

@ -20,6 +20,10 @@ in {
nix-bitcoin.security.hideProcessInformation = true; nix-bitcoin.security.hideProcessInformation = true;
# Use doas instead of sudo
security.doas.enable = true;
security.sudo.enable = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jq jq
]; ];

2
modules/recurring-donations.nix
View File

@ -78,7 +78,7 @@ in {
systemd.services.recurring-donations = { systemd.services.recurring-donations = {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];
after = [ "clightning.service" ]; after = [ "clightning.service" ];
path = with pkgs; [ nix-bitcoin.clightning curl sudo jq ]; path = with pkgs; [ nix-bitcoin.clightning curl jq ];
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
User = "recurring-donations"; User = "recurring-donations";