servo: bitcoind: harden

2024-07-29 00:11:45 +00:00
parent ea5919ab6b
commit 4b30036973
1 changed files with 38 additions and 10 deletions
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@@ -64,27 +64,55 @@ in
      passwordHMAC = "30002c05d82daa210550e17a182db3f3$6071444151281e1aa8a2729f75e3e2d224e9d7cac3974810dab60e7c28ffaae4";
    };
    extraConfig = ''
+      # checkblocks: default 6: how many blocks to verify on start
+      checkblocks=3
      # don't load the wallet, and disable wallet RPC calls
      disablewallet=1
      # proxy all outbound traffic through Tor
      proxy=127.0.0.1:9050
    '';
    extraCmdlineOptions = [
-      # "--debug"
-      # "--debug=estimatefee"
-      # "--debug=http"
-      # "--debug=net"
-      "--debug=proxy"
-      "--debug=rpc"
-      # "--debug=validation"
+      # "-debug"
+      # "-debug=estimatefee"
+      # "-debug=http"
+      # "-debug=net"
+      "-debug=proxy"
+      "-debug=rpc"
+      # "-debug=validation"
    ];
  };

  users.users.bitcoind-mainnet.extraGroups = [ "tor" ];

-  systemd.services.bitcoind-mainnet.after = [ "tor.service" ];
-  systemd.services.bitcoind-mainnet.requires = [ "tor.service" ];
-  systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s";  #< default is 0
+  systemd.services.bitcoind-mainnet = {
+    after = [ "tor.service" ];
+    requires = [ "tor.service" ];
+    serviceConfig.RestartSec = "30s";  #< default is 0
+
+    # hardening (systemd-analyze security bitcoind-mainnet)
+    serviceConfig.LockPersonality = true;
+    serviceConfig.MemoryDenyWriteExecute = "true";
+    serviceConfig.NoNewPrivileges = "true";
+    serviceConfig.PrivateDevices = "true";
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = "true";
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.ProtectHostname = true;
+    serviceConfig.ProtectKernelLogs = true;
+    serviceConfig.ProtectKernelModules = true;
+    serviceConfig.ProtectKernelTunables = true;
+    serviceConfig.ProtectProc = "invisible";
+    # serviceConfig.ProtectSystem = "strict";  #< TODO: try enabling?
+    serviceConfig.RemoveIPC = true;
+    # serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";  #< TODO: try enabling?
+    serviceConfig.RestrictNamespaces = true;
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";
+    # serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];  #< TODO: try enabling?
+  };

  sops.secrets."bitcoin.conf" = {
    mode = "0600";