colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: bitcoind: harden

Browse Source
This commit is contained in:
Colin
2024-07-29 00:11:45 +00:00
parent ea5919ab6b
commit 4b30036973
1 changed files with 38 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
View File

@@ -64,27 +64,55 @@ in
passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4"; passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
}; };
extraConfig = '' extraConfig = ''
# checkblocks: default 6: how many blocks to verify on start
checkblocks=3
# don't load the wallet, and disable wallet RPC calls # don't load the wallet, and disable wallet RPC calls
disablewallet=1 disablewallet=1
# proxy all outbound traffic through Tor # proxy all outbound traffic through Tor
proxy=127.0.0.1:9050 proxy=127.0.0.1:9050
''; '';
extraCmdlineOptions = [ extraCmdlineOptions = [
# "--debug" # "-debug"
# "--debug=estimatefee" # "-debug=estimatefee"
# "--debug=http" # "-debug=http"
# "--debug=net" # "-debug=net"
"--debug=proxy" "-debug=proxy"
"--debug=rpc" "-debug=rpc"
# "--debug=validation" # "-debug=validation"
]; ];
}; };
users.users.bitcoind-mainnet.extraGroups = [ "tor" ]; users.users.bitcoind-mainnet.extraGroups = [ "tor" ];
systemd.services.bitcoind-mainnet.after = [ "tor.service" ]; systemd.services.bitcoind-mainnet = {
systemd.services.bitcoind-mainnet.requires = [ "tor.service" ]; after = [ "tor.service" ];
systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s"; #< default is 0 requires = [ "tor.service" ];
serviceConfig.RestartSec = "30s"; #< default is 0
# hardening (systemd-analyze security bitcoind-mainnet)
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = "true";
serviceConfig.NoNewPrivileges = "true";
serviceConfig.PrivateDevices = "true";
serviceConfig.PrivateMounts = true;
serviceConfig.PrivateTmp = "true";
serviceConfig.PrivateUsers = true;
serviceConfig.ProcSubset = "pid";
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectProc = "invisible";
# serviceConfig.ProtectSystem = "strict"; #< TODO: try enabling?
serviceConfig.RemoveIPC = true;
# serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; #< TODO: try enabling?
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
# serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; #< TODO: try enabling?
};
sops.secrets."bitcoin.conf" = { sops.secrets."bitcoin.conf" = {
mode = "0600"; mode = "0600";