Use IPAddress{Allow,Deny} by default for systemd services
This commit is contained in:
parent
d9533edad1
commit
eaaf8e9aab
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.bitcoind;
|
||||
pidFile = "${cfg.dataDir}/bitcoind.pid";
|
||||
configFile = pkgs.writeText "bitcoin.conf" ''
|
||||
@ -193,6 +193,7 @@ in {
|
||||
to stay under the specified target size in MiB)
|
||||
'';
|
||||
};
|
||||
enforceTor = nix-bitcoin-services.enforceTor;
|
||||
};
|
||||
};
|
||||
|
||||
@ -236,7 +237,11 @@ in {
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
systemd.services.bitcoind-import-banlist = {
|
||||
description = "Bitcoin daemon banlist importer";
|
||||
@ -272,7 +277,8 @@ in {
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.clightning;
|
||||
configFile = pkgs.writeText "config" ''
|
||||
autolisten=${if cfg.autolisten then "true" else "false"}
|
||||
@ -57,6 +57,7 @@ in {
|
||||
default = "/var/lib/clightning";
|
||||
description = "The data directory for clightning.";
|
||||
};
|
||||
enforceTor = nix-bitcoin-services.enforceTor;
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
@ -94,7 +95,11 @@ in {
|
||||
User = "clightning";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.electrs;
|
||||
index-batch-size = "${if cfg.high-memory then "" else "--index-batch-size=10"}";
|
||||
jsonrpc-import = "${if cfg.high-memory then "" else "--jsonrpc-import"}";
|
||||
@ -43,6 +43,7 @@ in {
|
||||
default = 50003;
|
||||
description = "Override the default port on which to listen for connections.";
|
||||
};
|
||||
enforceTor = nix-bitcoin-services.enforceTor;
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
@ -75,7 +76,11 @@ in {
|
||||
User = "electrs";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.lightning-charge;
|
||||
in {
|
||||
options.services.lightning-charge = {
|
||||
@ -38,7 +38,9 @@ in {
|
||||
User = "clightning";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.nodeHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.node
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.liquidd;
|
||||
pidFile = "${cfg.dataDir}/liquidd.pid";
|
||||
configFile = pkgs.writeText "liquid.conf" ''
|
||||
@ -166,6 +166,7 @@ in {
|
||||
to stay under the specified target size in MiB)
|
||||
'';
|
||||
};
|
||||
enforceTor = nix-bitcoin-services.enforceTor;
|
||||
};
|
||||
};
|
||||
|
||||
@ -198,7 +199,11 @@ in {
|
||||
|
||||
# Permission for preStart
|
||||
PermissionsStartOnly = "true";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
users.users.${cfg.user} = {
|
||||
name = cfg.user;
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.nanopos;
|
||||
defaultItemsFile = pkgs.writeText "items.yaml" ''
|
||||
tea:
|
||||
@ -74,7 +74,9 @@ in {
|
||||
User = "nanopos";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.nodeHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.node
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,3 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
defaultHardening = {
|
||||
PrivateTmp = "true";
|
||||
@ -11,12 +15,26 @@ let
|
||||
ProtectControlGroups = "true";
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||
LockPersonality = "true";
|
||||
IPAddressDeny = "any";
|
||||
};
|
||||
in
|
||||
{
|
||||
inherit defaultHardening;
|
||||
# node applications apparently rely on memory write execute
|
||||
nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
|
||||
node = { MemoryDenyWriteExecute = "false"; };
|
||||
# Allow tor traffic. Allow takes precedence over Deny.
|
||||
allowTor = { IPAddressAllow = "127.0.0.1/32"; };
|
||||
# Allow any traffic
|
||||
allowAnyIP = { IPAddressAllow = "any"; };
|
||||
|
||||
enforceTor = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
"Whether to force Tor on a service by only allowing connections from and
|
||||
to 127.0.0.1;";
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.nix-bitcoin-webindex;
|
||||
indexFile = pkgs.writeText "index.html" ''
|
||||
<html>
|
||||
@ -44,6 +44,7 @@ in {
|
||||
If enabled, the webindex service will be installed.
|
||||
'';
|
||||
};
|
||||
enforceTor = nix-bitcoin-services.enforceTor;
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
@ -81,7 +82,11 @@ in {
|
||||
RemainAfterExit="yes";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// (if cfg.enforceTor
|
||||
then nix-bitcoin-services.allowTor
|
||||
else nix-bitcoin-services.allowAnyIP
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -60,6 +60,7 @@ in {
|
||||
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
|
||||
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
|
||||
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
|
||||
services.bitcoind.enforceTor = true;
|
||||
services.bitcoind.port = 8333;
|
||||
services.bitcoind.rpcuser = "bitcoinrpc";
|
||||
services.bitcoind.extraConfig = ''
|
||||
@ -82,6 +83,7 @@ in {
|
||||
# clightning
|
||||
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
|
||||
services.clightning.proxy = config.services.tor.client.socksListenAddress;
|
||||
services.clightning.enforceTor = true;
|
||||
services.clightning.always-use-proxy = true;
|
||||
services.clightning.bind-addr = "127.0.0.1:9735";
|
||||
services.tor.hiddenServices.clightning = {
|
||||
@ -128,6 +130,8 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
services.nix-bitcoin-webindex.enforceTor = true;
|
||||
|
||||
services.liquidd.rpcuser = "liquidrpc";
|
||||
services.liquidd.prune = 1000;
|
||||
services.liquidd.extraConfig = "
|
||||
@ -136,6 +140,7 @@ in {
|
||||
";
|
||||
services.liquidd.listen = true;
|
||||
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
|
||||
services.liquidd.enforceTor = true;
|
||||
services.liquidd.port = 7042;
|
||||
services.tor.hiddenServices.liquidd = {
|
||||
map = [{
|
||||
@ -146,6 +151,7 @@ in {
|
||||
|
||||
services.spark-wallet.onion-service = true;
|
||||
services.electrs.port = 50001;
|
||||
services.electrs.enforceTor = true;
|
||||
services.electrs.onionport = 50002;
|
||||
services.electrs.nginxport = 50003;
|
||||
services.electrs.high-memory = false;
|
||||
|
@ -8,7 +8,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.onion-chef;
|
||||
dataDir = "/var/lib/onion-chef/";
|
||||
onion-chef-script = pkgs.writeScript "onion-chef.sh" ''
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.recurring-donations;
|
||||
recurring-donations-script = pkgs.writeScript "recurring-donations.sh" ''
|
||||
LNCLI="lightning-cli --lightning-dir=${config.services.clightning.dataDir}"
|
||||
@ -89,7 +89,8 @@ in {
|
||||
# working inside the shell script
|
||||
User = "clightning";
|
||||
Type = "oneshot";
|
||||
} // nix-bitcoin-services.defaultHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
systemd.timers.recurring-donations = {
|
||||
requires = [ "clightning.service" ];
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
|
||||
nix-bitcoin-services = pkgs.callPackage ./nix-bitcoin-services.nix { };
|
||||
cfg = config.services.spark-wallet;
|
||||
dataDir = "/var/lib/spark-wallet/";
|
||||
onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
|
||||
@ -64,7 +64,9 @@ in {
|
||||
User = "clightning";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nix-bitcoin-services.nodeHardening;
|
||||
} // nix-bitcoin-services.defaultHardening
|
||||
// nix-bitcoin-services.node
|
||||
// nix-bitcoin-services.allowTor;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user