ccc3a70344 service hardening: add more restrictions (nixbitcoin)
3fbfa98635 service hardening: replace obtuse SystemCallFilter with @system-service (nixbitcoin)
e34d1c884e service hardening: Add PrivateUsers (nixbitcoin)
1c75543f2f clightning: add user and group options (nixbitcoin)
5f3f362451 lnd: add strict hardening (Erik Arvstedt)
a040e52854 All modules: ProtectSystem = strict (nixbitcoin)
adc71b892e Remove PermissionStartOnly where possible and replace with bitcoinrpc (nixbitcoin)
91b6b2c370 All modules with preStart: Use systemd.tmpfiles.rules (nixbitcoin)
423ebf862b lnd: only enable bitcoind zmqpub if lnd.enable (nixbitcoin)
81a1c3f908 service hardening: Add CapabilityBoundingSets (nixbitcoin)
3cd61506e0 webindex & onion-chef: Run non-network-facing services in PrivateNetwork (nixbitcoin)
7c70dd43ac All modules: Give service config precedence over defaultHardening (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ccc3a70344
jonasnick:
ACK ccc3a70344 very nice
Tree-SHA512: 069f74b11b46b17fd180e9da5328a3b9952aa90100b5077251d1e56a4d64f03ba64587adf153ddc6cf42f750c13a168f9f0fe43bc379bcd4a9f6709e635e512a
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
b8e10afe18 recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101 nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6 Remove bitcoinrpc group remnants (nixbitcoin)
563b210835 spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca3576 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef1 lightning-charge: add dedicated user (nixbitcoin)
e67a818297 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba clightning: remove config group read access (nixbitcoin)
04c6936ce9 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db4 electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d77 electrs: Make TLSProxy truly optional (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK b8e10afe18
Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
Previously, the sessions contained only explicitly exported variables
and functions.
This was fragile and in part buggy due to lacking exports.
Interactive features like user-defined aliases and functions are still
working as before.
Download shesek's github spark-npm.tgz, verify signature, unpack
spark-npm.tgz, patch package.json to include qrcode-terminal in
dependencies, run node2nix with tmpdir as local source, replace tmpdir
spark-wallet source with shesek's github spark-npm.tgz in
node-packages.nix.
spark-wallet: erikarvstedt fixups
move script to pkg dir, add hint to script in pkg def
remove unneeded script deps
add extended bash error checking
rename DIR -> TMPDIR
remove TMPDIR on exit
strip whitespace, simplify comments
gpg2 -> gpg
latesttagelectrs -> latest
tmpdir: don't use XDG_RUNTIME_DIR
XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger
workloads like repo downlaods
verify fingerprint of the imported key
remove trailing '-' in output
simplify output
Hide --fetch-key output
Output is not relevant to user, looks better without it
More accurately describe ./get-sha256 function
User might think that ./get-sha256 automatically updates sha256 in default.nix
Fetch key from sks keyservers instead of keybase.io
Using --recv-key simplifies getting the right key, and only the
right key, greatly. I try to refrain from using sks keyservers,
but the certificate spamming attack shouldn't be an issue in this
case because we create a temporary keychain just for the
verificaiton.
remove unneeded cargoDepsHook
Make clang nativeBuildInput instead of buildInput
e95f5981aa Remove KN countrycode (nixbitcoin)
742aef1e0f Only set dataDirReadableByGroup if cfg.high-memory is enabled (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK e95f5981aa
Tree-SHA512: e8253b934211e6fc6be11917f8acb05a05e390caafdf86f90670f9299d9c0d98596758ff021c65aae199c9a5a3f86f87854e1b8f50a53bab8ad28d9a7003d98e