diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 7d9d031..6f2dc1c 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -255,19 +255,17 @@ in { sysperms = true; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.bitcoind = { description = "Bitcoin daemon"; requires = [ "nix-bitcoin-secrets.target" ]; after = [ "network.target" "nix-bitcoin-secrets.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - if [[ ! -e ${cfg.dataDir} ]]; then - mkdir -m 0770 -p '${cfg.dataDir}' - fi - if [[ ! -e ${cfg.dataDir}/blocks ]]; then - mkdir -m 0770 -p '${cfg.dataDir}/blocks' - fi - chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"} cfg=$(cat ${configFile}; printf "rpcpassword="; cat "${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword") @@ -282,17 +280,14 @@ in { sleep 0.05 done ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { User = "${cfg.user}"; Group = "${cfg.group}"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; Restart = "on-failure"; UMask = mkIf cfg.dataDirReadableByGroup "0027"; - - # Permission for preStart - PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + ReadWritePaths = "${cfg.dataDir}"; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP) // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nix-bitcoin-services.allowAnyProtocol; @@ -320,11 +315,11 @@ in { fi done ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { User = "${cfg.user}"; Group = "${cfg.group}"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.allowTor; + ReadWritePaths = "${cfg.dataDir}"; + } // nix-bitcoin-services.allowTor; }; users.users.${cfg.user} = { @@ -332,9 +327,11 @@ in { description = "Bitcoin daemon user"; }; users.groups.${cfg.group} = {}; + users.groups.bitcoinrpc = {}; nix-bitcoin.secrets.bitcoin-rpcpassword = { user = "bitcoin"; + group = "bitcoinrpc"; }; }; } diff --git a/modules/clightning.nix b/modules/clightning.nix index 4a08ae0..1b6ffff 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -59,6 +59,16 @@ in { default = "/var/lib/clightning"; description = "The data directory for clightning."; }; + user = mkOption { + type = types.str; + default = "clightning"; + description = "The user as which to run clightning."; + }; + group = mkOption { + type = types.str; + default = cfg.user; + description = "The group as which to run clightning."; + }; cli = mkOption { readOnly = true; default = pkgs.writeScriptBin "lightning-cli" @@ -72,11 +82,16 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ pkgs.nix-bitcoin.clightning (hiPrio cfg.cli) ]; - users.users.clightning = { + users.users.${cfg.user} = { description = "clightning User"; - group = "clightning"; + group = cfg.group; + extraGroups = [ "bitcoinrpc" ]; }; - users.groups.clightning = {}; + users.groups.${cfg.group} = {}; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + ]; systemd.services.clightning = { description = "Run clightningd"; @@ -85,22 +100,20 @@ in { requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' - mkdir -m 0770 -p ${cfg.dataDir} cp ${configFile} ${cfg.dataDir}/config - chown -R 'clightning:clightning' '${cfg.dataDir}' + chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' # The RPC socket has to be removed otherwise we might have stale sockets rm -f ${cfg.dataDir}/bitcoin/lightning-rpc chmod 600 ${cfg.dataDir}/config echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' ''; - serviceConfig = { - PermissionsStartOnly = "true"; + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.nix-bitcoin.clightning}/bin/lightningd --lightning-dir=${cfg.dataDir}"; - User = "clightning"; + User = "${cfg.user}"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + ReadWritePaths = "${cfg.dataDir}"; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/electrs.nix b/modules/electrs.nix index 5b62149..4c2b95f 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -63,22 +63,23 @@ in { config = mkIf cfg.enable (mkMerge [{ environment.systemPackages = [ pkgs.nix-bitcoin.electrs ]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.electrs = { description = "Electrs Electrum Server"; wantedBy = [ "multi-user.target" ]; requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' - mkdir -m 0770 -p ${cfg.dataDir} - chown -R '${cfg.user}:${cfg.group}' ${cfg.dataDir} echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \ > electrs.toml ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { RuntimeDirectory = "electrs"; RuntimeDirectoryMode = "700"; WorkingDirectory = "/run/electrs"; - PermissionsStartOnly = "true"; ExecStart = '' ${pkgs.nix-bitcoin.electrs}/bin/electrs -vvv \ ${if cfg.high-memory then @@ -96,8 +97,8 @@ in { Group = cfg.group; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${config.services.bitcoind.dataDir}" else ""}"; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); @@ -106,7 +107,7 @@ in { users.users.${cfg.user} = { description = "electrs User"; group = cfg.group; - extraGroups = optionals cfg.high-memory [ "bitcoin" ]; + extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ]; }; users.groups.${cfg.group} = {}; } diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix index 0da37c3..d5d1d67 100644 --- a/modules/lightning-charge.nix +++ b/modules/lightning-charge.nix @@ -50,15 +50,16 @@ in { chmod 600 ${cfg.dataDir}/lightning-charge.db fi ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { + # Needed to access clightning.dataDir in preStart PermissionsStartOnly = "true"; EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env"; ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db"; User = user; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + ReadWritePaths = "${cfg.dataDir}"; + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; nix-bitcoin.secrets.lightning-charge-env.user = user; diff --git a/modules/liquid.nix b/modules/liquid.nix index 2bb604e..d943eb2 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -200,40 +200,39 @@ in { (hiPrio cfg.cli) (hiPrio cfg.swap-cli) ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.liquidd = { description = "Elements daemon providing access to the Liquid sidechain"; requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - if ! test -e ${cfg.dataDir}; then - mkdir -m 0770 -p '${cfg.dataDir}' - fi cp '${configFile}' '${cfg.dataDir}/elements.conf' - chmod o-rw '${cfg.dataDir}/elements.conf' + chmod 640 '${cfg.dataDir}/elements.conf' chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" >> '${cfg.dataDir}/elements.conf' echo "mainchainrpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/elements.conf' ''; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { Type = "simple"; User = "${cfg.user}"; Group = "${cfg.group}"; ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}"; - StateDirectory = "liquidd"; PIDFile = "${pidFile}"; Restart = "on-failure"; - - # Permission for preStart - PermissionsStartOnly = "true"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + ReadWritePaths = "${cfg.dataDir}"; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); }; users.users.${cfg.user} = { group = cfg.group; + extraGroups = [ "bitcoinrpc" ]; description = "Liquid sidechain user"; }; users.groups.${cfg.group} = {}; diff --git a/modules/lnd.nix b/modules/lnd.nix index 3df08b6..a66d9a8 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -78,6 +78,16 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 lnd lnd - -" + ]; + + services.bitcoind = { + zmqpubrawblock = "tcp://127.0.0.1:28332"; + zmqpubrawtx = "tcp://127.0.0.1:28333"; + }; + systemd.services.lnd = { description = "Run LND"; path = [ pkgs.nix-bitcoin.bitcoind ]; @@ -85,76 +95,78 @@ in { requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' - mkdir -m 0770 -p ${cfg.dataDir} - cp ${configFile} ${cfg.dataDir}/lnd.conf - chown -R 'lnd:lnd' '${cfg.dataDir}' - chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf + install -m600 ${configFile} '${cfg.dataDir}/lnd.conf' echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/lnd.conf' ''; - serviceConfig = { - PermissionsStartOnly = "true"; + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; User = "lnd"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + ReadWritePaths = "${cfg.dataDir}"; + ExecStartPost = [ + # Run fully privileged for secrets dir write access + "+${nix-bitcoin-services.script '' + attempts=50 + while ! { exec 3>/dev/tcp/127.0.0.1/8080 && exec 3>&-; } &>/dev/null; do + ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } + sleep 0.1 + done + + mnemonic=${secretsDir}/lnd-seed-mnemonic + if [[ ! -f $mnemonic ]]; then + echo Create lnd seed + + ${pkgs.curl}/bin/curl -s \ + --cacert ${secretsDir}/lnd-cert \ + -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" + fi + chown lnd: "$mnemonic" + chmod 400 "$mnemonic" + ''}" + "${let + mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet"; + in nix-bitcoin-services.script '' + if [[ ! -f ${mainnetDir}/wallet.db ]]; then + echo Create lnd wallet + + ${pkgs.curl}/bin/curl -s --output /dev/null --show-error \ + --cacert ${secretsDir}/lnd-cert \ + -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \ + \"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \ + https://127.0.0.1:8080/v1/initwallet + + # Guarantees that RPC calls with cfg.cli succeed after the service is started + echo Wait until wallet is created + while [[ ! -f ${mainnetDir}/admin.macaroon ]]; do + sleep 0.1 + done + else + echo Unlock lnd wallet + + ${pkgs.curl}/bin/curl -s \ + -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \ + --cacert ${secretsDir}/lnd-cert \ + -X POST \ + -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \ + https://127.0.0.1:8080/v1/unlockwallet + fi + + # Wait until the RPC port is open + while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do + sleep 0.1 + done + ''}" + ]; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ) // nix-bitcoin-services.allowAnyProtocol; # For ZMQ - postStart = let - mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet"; - in '' - umask 377 - - attempts=50 - while ! { exec 3>/dev/tcp/127.0.0.1/8080 && exec 3>&-; } &>/dev/null; do - ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } - sleep 0.1 - done - - if [[ ! -f ${secretsDir}/lnd-seed-mnemonic ]]; then - echo Create lnd seed - - ${pkgs.curl}/bin/curl -s \ - --cacert ${secretsDir}/lnd-cert \ - -X GET https://127.0.0.1:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > ${secretsDir}/lnd-seed-mnemonic - fi - - if [[ ! -f ${mainnetDir}/wallet.db ]]; then - echo Create lnd wallet - - ${pkgs.curl}/bin/curl -s --output /dev/null --show-error \ - --cacert ${secretsDir}/lnd-cert \ - -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \ - \"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \ - https://127.0.0.1:8080/v1/initwallet - - # Guarantees that RPC calls with cfg.cli succeed after the service is started - echo Wait until wallet is created - while [[ ! -f ${mainnetDir}/admin.macaroon ]]; do - sleep 0.1 - done - else - echo Unlock lnd wallet - - ${pkgs.curl}/bin/curl -s \ - -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \ - --cacert ${secretsDir}/lnd-cert \ - -X POST \ - -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \ - https://127.0.0.1:8080/v1/unlockwallet - fi - - # Wait until the RPC port is open - while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do - sleep 0.1 - done - ''; }; users.users.lnd = { description = "LND User"; group = "lnd"; + extraGroups = [ "bitcoinrpc" ]; home = cfg.dataDir; # lnd creates .lnd dir in HOME }; users.groups.lnd = {}; diff --git a/modules/modules.nix b/modules/modules.nix index 4c6d291..faf12a7 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -21,7 +21,7 @@ options = { nix-bitcoin-services = lib.mkOption { readOnly = true; - default = import ./nix-bitcoin-services.nix lib; + default = import ./nix-bitcoin-services.nix lib pkgs; }; }; diff --git a/modules/nanopos.nix b/modules/nanopos.nix index 2fa5894..6cc1529 100644 --- a/modules/nanopos.nix +++ b/modules/nanopos.nix @@ -58,14 +58,13 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "lightning-charge.service" ]; after = [ "lightning-charge.service" ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { EnvironmentFile = "${config.nix-bitcoin.secretsDir}/nanopos-env"; ExecStart = "${pkgs.nix-bitcoin.nanopos}/bin/nanopos -y ${cfg.itemsFile} -p ${toString cfg.port} --show-bolt11"; User = "nanopos"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; users.users.nanopos = { diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix index c04e14c..daf1355 100644 --- a/modules/nix-bitcoin-services.nix +++ b/modules/nix-bitcoin-services.nix @@ -1,13 +1,14 @@ # See `man systemd.exec` and `man systemd.resource-control` for an explanation # of the various systemd options available through this module. -lib: +lib: pkgs: with lib; { + # These settings roughly follow systemd's "strict" security profile defaultHardening = { PrivateTmp = "true"; - ProtectSystem = "full"; + ProtectSystem = "strict"; ProtectHome = "true"; NoNewPrivileges = "true"; PrivateDevices = "true"; @@ -19,7 +20,15 @@ with lib; RestrictNamespaces = "true"; LockPersonality = "true"; IPAddressDeny = "any"; - SystemCallFilter= "accept accept4 access adjtimex alarm bind brk capget capset chdir chmod chown chown32 clock_getres clock_gettime clock_nanosleep close connect copy_file_range creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents io_pgetevents ioprio_get ioprio_set io_setup io_submit ipc kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr _llseek lremovexattr lseek lsetxattr lstat lstat64 madvise memfd_create mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 mprotect mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat _newselect open openat pause pipe pipe2 poll ppoll prctl pread64 preadv preadv2 prlimit64 pselect6 pwrite64 pwritev pwritev2 read readahead readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 setitimer setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address setuid setuid32 setxattr shmat shmctl shmdt shmget shutdown sigaltstack signalfd signalfd4 sigreturn socket socketcall socketpair splice stat stat64 statfs statfs64 statx symlink symlinkat sync sync_file_range syncfs sysinfo tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat utime utimensat utimes vfork vmsplice wait4 waitid waitpid write writev arm_fadvise64_64 arm_sync_file_range sync_file_range2 breakpoint cacheflush set_tls arch_prctl modify_ldt clone"; + PrivateUsers = "true"; + RestrictSUIDSGID = "true"; + RemoveIPC = "true"; + RestrictRealtime = "true"; + ProtectHostname = "true"; + CapabilityBoundingSet = ""; + # @system-service whitelist and docker seccomp blacklist (except for "clone" + # which is a core requirement for systemd services) + SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ]; SystemCallArchitectures= "native"; }; @@ -41,4 +50,9 @@ with lib; to 127.0.0.1;"; ''; }; + + script = src: pkgs.writers.writeBash "script" '' + set -eo pipefail + ${src} + ''; } diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix index 6eb8a02..a857ffb 100644 --- a/modules/nix-bitcoin-webindex.nix +++ b/modules/nix-bitcoin-webindex.nix @@ -28,9 +28,8 @@ let ''; createWebIndex = pkgs.writeText "make-index.sh" '' set -e - mkdir -p /var/www/ cp ${indexFile} /var/www/index.html - chown -R nginx /var/www/ + chown -R nginx:nginx /var/www/ nodeinfo . <(nodeinfo) sed -i "s/CLIGHTNING_ID/$CLIGHTNING_ID/g" /var/www/index.html @@ -48,6 +47,10 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d /var/www 0755 nginx nginx - -" + ]; + services.nginx = { enable = true; virtualHosts."_" = { @@ -81,15 +84,18 @@ in { jq sudo ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart="${pkgs.bash}/bin/bash ${createWebIndex}"; User = "root"; Type = "simple"; RemainAfterExit="yes"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // (if cfg.enforceTor + PrivateNetwork = "true"; # This service needs no network access + PrivateUsers = "false"; + ReadWritePaths = "/var/www"; + CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; + } // (if cfg.enforceTor then nix-bitcoin-services.allowTor else nix-bitcoin-services.allowAnyIP ); diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix index df9c36f..2fe3839 100644 --- a/modules/onion-chef.nix +++ b/modules/onion-chef.nix @@ -15,7 +15,6 @@ let # wait until tor is up until ls -l /var/lib/tor/state; do sleep 1; done - mkdir -p -m 0755 ${dataDir} cd ${dataDir} # Create directory for every user and set permissions @@ -68,16 +67,24 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0755 root root - -" + ]; + systemd.services.onion-chef = { description = "Run onion-chef"; wantedBy = [ "tor.service" ]; bindsTo = [ "tor.service" ]; after = [ "tor.service" ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${onion-chef-script}"; Type = "oneshot"; RemainAfterExit = true; - } // nix-bitcoin-services.defaultHardening; + PrivateNetwork = "true"; # This service needs no network access + PrivateUsers = "false"; + ReadWritePaths = "${dataDir}"; + CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"; + }; }; }; } diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index d010c0f..7e1704f 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -60,8 +60,6 @@ in { proxy = cfg.tor.client.socksListenAddress; enforceTor = true; port = 8333; - zmqpubrawblock = "tcp://127.0.0.1:28332"; - zmqpubrawtx = "tcp://127.0.0.1:28333"; assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6"; addnodes = [ "ecoc5q34tmbq54wl.onion" ]; discover = false; diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index dcc61a6..659891a 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -90,12 +90,11 @@ in { requires = [ "clightning.service" ]; after = [ "clightning.service" ]; path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ]; - serviceConfig = { + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; User = "recurring-donations"; Type = "oneshot"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.allowTor; + } // nix-bitcoin-services.allowTor; }; systemd.timers.recurring-donations = { requires = [ "clightning.service" ]; diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index a4b5319..a329def 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -5,7 +5,6 @@ with lib; let cfg = config.services.spark-wallet; inherit (config) nix-bitcoin-services; - dataDir = "/var/lib/spark-wallet/"; onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); run-spark-wallet = pkgs.writeScript "run-spark-wallet" '' CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login" @@ -71,14 +70,13 @@ in { wantedBy = [ "multi-user.target" ]; requires = [ "clightning.service" ] ++ onion-chef-service; after = [ "clightning.service" ] ++ onion-chef-service; - serviceConfig = { - PermissionsStartOnly = "true"; + serviceConfig = nix-bitcoin-services.defaultHardening // { ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}"; User = "spark-wallet"; Restart = "on-failure"; RestartSec = "10s"; - } // nix-bitcoin-services.defaultHardening - // nix-bitcoin-services.nodejs + ReadWritePaths = "/var/lib/onion-chef"; + } // nix-bitcoin-services.nodejs // nix-bitcoin-services.allowTor; }; nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";