Use IPAddress{Allow,Deny} by default for systemd services

This commit is contained in:
Jonas Nick 2019-04-27 23:53:26 +00:00
parent d9533edad1
commit eaaf8e9aab
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
12 changed files with 79 additions and 22 deletions

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.bitcoind; cfg = config.services.bitcoind;
pidFile = "${cfg.dataDir}/bitcoind.pid"; pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" '' configFile = pkgs.writeText "bitcoin.conf" ''
@ -193,6 +193,7 @@ in {
to stay under the specified target size in MiB) to stay under the specified target size in MiB)
''; '';
}; };
enforceTor = nix-bitcoin-services.enforceTor;
}; };
}; };
@ -236,7 +237,11 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; };
systemd.services.bitcoind-import-banlist = { systemd.services.bitcoind-import-banlist = {
description = "Bitcoin daemon banlist importer"; description = "Bitcoin daemon banlist importer";
@ -272,7 +277,8 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.clightning; cfg = config.services.clightning;
configFile = pkgs.writeText "config" '' configFile = pkgs.writeText "config" ''
autolisten=${if cfg.autolisten then "true" else "false"} autolisten=${if cfg.autolisten then "true" else "false"}
@ -57,6 +57,7 @@ in {
default = "/var/lib/clightning"; default = "/var/lib/clightning";
description = "The data directory for clightning."; description = "The data directory for clightning.";
}; };
enforceTor = nix-bitcoin-services.enforceTor;
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -94,7 +95,11 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; };
}; };
} }

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.electrs; cfg = config.services.electrs;
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}"; index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}"; jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
@ -43,6 +43,7 @@ in {
default = 50003; default = 50003;
description = "Override the default port on which to listen for connections."; description = "Override the default port on which to listen for connections.";
}; };
enforceTor = nix-bitcoin-services.enforceTor;
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -75,7 +76,11 @@ in {
User = "electrs"; User = "electrs";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; };
services.nginx = { services.nginx = {

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.lightning-charge; cfg = config.services.lightning-charge;
in { in {
options.services.lightning-charge = { options.services.lightning-charge = {
@ -38,7 +38,9 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening; } // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
}; };
}; };
} }

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.liquidd; cfg = config.services.liquidd;
pidFile = "${cfg.dataDir}/liquidd.pid"; pidFile = "${cfg.dataDir}/liquidd.pid";
configFile = pkgs.writeText "liquid.conf" '' configFile = pkgs.writeText "liquid.conf" ''
@ -166,6 +166,7 @@ in {
to stay under the specified target size in MiB) to stay under the specified target size in MiB)
''; '';
}; };
enforceTor = nix-bitcoin-services.enforceTor;
}; };
}; };
@ -198,7 +199,11 @@ in {
# Permission for preStart # Permission for preStart
PermissionsStartOnly = "true"; PermissionsStartOnly = "true";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
name = cfg.user; name = cfg.user;

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nanopos; cfg = config.services.nanopos;
defaultItemsFile = pkgs.writeText "items.yaml" '' defaultItemsFile = pkgs.writeText "items.yaml" ''
tea: tea:
@ -74,7 +74,9 @@ in {
User = "nanopos"; User = "nanopos";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening; } // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
}; };
}; };
} }

View File

@ -1,3 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let let
defaultHardening = { defaultHardening = {
PrivateTmp = "true"; PrivateTmp = "true";
@ -11,12 +15,26 @@ let
ProtectControlGroups = "true"; ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
LockPersonality = "true"; LockPersonality = "true";
IPAddressDeny = "any";
}; };
in in
{ {
inherit defaultHardening; inherit defaultHardening;
# node applications apparently rely on memory write execute # node applications apparently rely on memory write execute
nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; }; node = { MemoryDenyWriteExecute = "false"; };
# Allow tor traffic. Allow takes precedence over Deny.
allowTor = { IPAddressAllow = "127.0.0.1/32"; };
# Allow any traffic
allowAnyIP = { IPAddressAllow = "any"; };
enforceTor = mkOption {
type = types.bool;
default = false;
description = ''
"Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;";
'';
};
} }

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.nix-bitcoin-webindex; cfg = config.services.nix-bitcoin-webindex;
indexFile = pkgs.writeText "index.html" '' indexFile = pkgs.writeText "index.html" ''
<html> <html>
@ -44,6 +44,7 @@ in {
If enabled, the webindex service will be installed. If enabled, the webindex service will be installed.
''; '';
}; };
enforceTor = nix-bitcoin-services.enforceTor;
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -81,7 +82,11 @@ in {
RemainAfterExit="yes"; RemainAfterExit="yes";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// (if cfg.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; };
}; };
} }

View File

@ -60,6 +60,7 @@ in {
services.bitcoind.sysperms = if config.services.electrs.enable then true else null; services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null; services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
services.bitcoind.proxy = config.services.tor.client.socksListenAddress; services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.enforceTor = true;
services.bitcoind.port = 8333; services.bitcoind.port = 8333;
services.bitcoind.rpcuser = "bitcoinrpc"; services.bitcoind.rpcuser = "bitcoinrpc";
services.bitcoind.extraConfig = '' services.bitcoind.extraConfig = ''
@ -82,6 +83,7 @@ in {
# clightning # clightning
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser; services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.proxy = config.services.tor.client.socksListenAddress; services.clightning.proxy = config.services.tor.client.socksListenAddress;
services.clightning.enforceTor = true;
services.clightning.always-use-proxy = true; services.clightning.always-use-proxy = true;
services.clightning.bind-addr = "127.0.0.1:9735"; services.clightning.bind-addr = "127.0.0.1:9735";
services.tor.hiddenServices.clightning = { services.tor.hiddenServices.clightning = {
@ -128,6 +130,8 @@ in {
}; };
}; };
services.nix-bitcoin-webindex.enforceTor = true;
services.liquidd.rpcuser = "liquidrpc"; services.liquidd.rpcuser = "liquidrpc";
services.liquidd.prune = 1000; services.liquidd.prune = 1000;
services.liquidd.extraConfig = " services.liquidd.extraConfig = "
@ -136,6 +140,7 @@ in {
"; ";
services.liquidd.listen = true; services.liquidd.listen = true;
services.liquidd.proxy = config.services.tor.client.socksListenAddress; services.liquidd.proxy = config.services.tor.client.socksListenAddress;
services.liquidd.enforceTor = true;
services.liquidd.port = 7042; services.liquidd.port = 7042;
services.tor.hiddenServices.liquidd = { services.tor.hiddenServices.liquidd = {
map = [{ map = [{
@ -146,6 +151,7 @@ in {
services.spark-wallet.onion-service = true; services.spark-wallet.onion-service = true;
services.electrs.port = 50001; services.electrs.port = 50001;
services.electrs.enforceTor = true;
services.electrs.onionport = 50002; services.electrs.onionport = 50002;
services.electrs.nginxport = 50003; services.electrs.nginxport = 50003;
services.electrs.high-memory = false; services.electrs.high-memory = false;

View File

@ -8,7 +8,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.onion-chef; cfg = config.services.onion-chef;
dataDir = "/var/lib/onion-chef/"; dataDir = "/var/lib/onion-chef/";
onion-chef-script = pkgs.writeScript "onion-chef.sh" '' onion-chef-script = pkgs.writeScript "onion-chef.sh" ''

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.recurring-donations; cfg = config.services.recurring-donations;
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" '' recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}" LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
@ -89,7 +89,8 @@ in {
# working inside the shell script # working inside the shell script
User = "clightning"; User = "clightning";
Type = "oneshot"; Type = "oneshot";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.allowTor;
}; };
systemd.timers.recurring-donations = { systemd.timers.recurring-donations = {
requires = [ "clightning.service" ]; requires = [ "clightning.service" ];

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
nix-bitcoin-services = import ./nix-bitcoin-services.nix; nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
cfg = config.services.spark-wallet; cfg = config.services.spark-wallet;
dataDir = "/var/lib/spark-wallet/"; dataDir = "/var/lib/spark-wallet/";
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []); onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
@ -64,7 +64,9 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.nodeHardening; } // nix-bitcoin-services.defaultHardening
// nix-bitcoin-services.node
// nix-bitcoin-services.allowTor;
}; };
}; };
} }