greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'service-hardening'

Browse Source
This commit is contained in:
Jonas Nick
2019-05-03 15:51:38 +00:00
parent be5513a425 e1ee5023e2
commit 54a6a3363e
14 changed files with 123 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
modules/bitcoind.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.bitcoind;
pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" ''
@@ -192,6 +193,7 @@ in {
to stay under the specified target size in MiB)
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
};
@@ -235,7 +237,11 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
};
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
systemd.services.bitcoind-import-banlist = {
description = "Bitcoin daemon banlist importer";
@@ -269,16 +275,10 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
StateDirectory = "bitcoind";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart
PermissionsStartOnly = "true";
};
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
};
users.users.${cfg.user} = {

13
modules/clightning.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.clightning;
configFile = pkgs.writeText "config" ''
autolisten=${if cfg.autolisten then "true" else "false"}
@@ -56,6 +57,7 @@ in {
default = "/var/lib/clightning";
description = "The data directory for clightning.";
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@@ -93,12 +95,11 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
};
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
};
}

12
modules/electrs.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.electrs;
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
@@ -42,6 +43,7 @@ in {
default = 50003;
description = "Override the default port on which to listen for connections.";
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@@ -74,11 +76,11 @@ in {
User = "electrs";
Restart = "on-failure";
RestartSec = "10s";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
services.nginx = {

9
modules/lightning-charge.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.lightning-charge;
in {
options.services.lightning-charge = {
@@ -37,11 +38,9 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
};
}

17
modules/liquid.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.liquidd;
pidFile = "${cfg.dataDir}/liquidd.pid";
configFile = pkgs.writeText "liquid.conf" ''
@@ -165,6 +166,7 @@ in {
to stay under the specified target size in MiB)
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
};
@@ -195,20 +197,16 @@ in {
PIDFile = "${pidFile}";
Restart = "on-failure";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart
PermissionsStartOnly = "true";
};
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
users.users.${cfg.user} = {
name = cfg.user;
#uid = config.ids.uids.liquid;
group = cfg.group;
extraGroups = [ "keys" ];
description = "Liquid daemon user";
@@ -216,7 +214,6 @@ in {
};
users.groups.${cfg.group} = {
name = cfg.group;
#gid = config.ids.gids.liquid;
};
};
}

9
modules/nanopos.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nanopos;
defaultItemsFile = pkgs.writeText "items.yaml" ''
tea:
@@ -73,11 +74,9 @@ in {
User = "nanopos";
Restart = "on-failure";
RestartSec = "10s";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
};
}

44
modules/nix-bitcoin-services.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
with lib;
let
defaultHardening = {
PrivateTmp = "true";
ProtectSystem = "full";
ProtectHome = "true";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true";
LockPersonality = "true";
IPAddressDeny = "any";
};
in
{
inherit defaultHardening;
# nodejs applications apparently rely on memory write execute
nodejs = { MemoryDenyWriteExecute = "false"; };
# Allow tor traffic. Allow takes precedence over Deny.
allowTor = {
IPAddressAllow = "127.0.0.1/32 ::1/128";
};
# Allow any traffic
allowAnyIP = { IPAddressAllow = "any"; };
enforceTor = mkOption {
type = types.bool;
default = false;
description = ''
"Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;";
'';
};
}

8
modules/nix-bitcoin-webindex.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nix-bitcoin-webindex;
indexFile = pkgs.writeText "index.html" ''
<html>
@@ -43,6 +44,7 @@ in {
If enabled, the webindex service will be installed.
'';
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable {
@@ -80,7 +82,11 @@ in {
RemainAfterExit="yes";
Restart = "on-failure";
RestartSec = "10s";
};
} // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
};
}

8
modules/nix-bitcoin.nix
View File

@@ -60,6 +60,7 @@ in {
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.enforceTor = true;
services.bitcoind.port = 8333;
services.bitcoind.rpcuser = "bitcoinrpc";
services.bitcoind.extraConfig = ''
@@ -82,6 +83,7 @@ in {
# clightning
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.proxy = config.services.tor.client.socksListenAddress;
services.clightning.enforceTor = true;
services.clightning.always-use-proxy = true;
services.clightning.bind-addr = "127.0.0.1:9735";
services.tor.hiddenServices.clightning = {
@@ -128,6 +130,8 @@ in {
};
};
services.nix-bitcoin-webindex.enforceTor = true;
services.liquidd.rpcuser = "liquidrpc";
services.liquidd.prune = 1000;
services.liquidd.extraConfig = "
@@ -136,6 +140,7 @@ in {
";
services.liquidd.listen = true;
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
services.liquidd.enforceTor = true;
services.liquidd.port = 7042;
services.tor.hiddenServices.liquidd = {
map = [{
@@ -143,9 +148,10 @@ in {
}];
version = 3;
};
services.spark-wallet.onion-service = true;
services.electrs.port = 50001;
services.electrs.enforceTor = true;
services.electrs.onionport = 50002;
services.electrs.nginxport = 50003;
services.electrs.high-memory = false;

7
modules/onion-chef.nix
View File

@@ -8,6 +8,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.onion-chef;
dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
@@ -77,11 +78,7 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}";
User = "root";
Type = "oneshot";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening;
};
};
}

8
modules/recurring-donations.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.recurring-donations;
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
@@ -88,11 +89,8 @@ in {
# working inside the shell script
User = "clightning";
Type = "oneshot";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
};
systemd.timers.recurring-donations = {
requires = [ "clightning.service" ];

9
modules/spark-wallet.nix
View File

@@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.spark-wallet;
dataDir = "/var/lib/spark-wallet/";
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
@@ -63,11 +64,9 @@ in {
User = "clightning";
Restart = "on-failure";
RestartSec = "10s";
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
};
} // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.nodejs
// nix-bitcoin-services.allowTor;
};
};
}