colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: bitcoind: harden systemd service

Browse Source
This commit is contained in:
Colin
2024-07-30 13:03:38 +00:00
parent b53f376d70
commit 70bd001171
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
View File

@@ -90,6 +90,7 @@ in
serviceConfig.RestartSec = "30s"; #< default is 0
# hardening (systemd-analyze security bitcoind-mainnet)
serviceConfig.StateDirectory = "bitcoind-mainnet";
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = "true";
serviceConfig.NoNewPrivileges = "true";
@@ -105,13 +106,13 @@ in
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectProc = "invisible";
# serviceConfig.ProtectSystem = "strict"; #< TODO: try enabling?
serviceConfig.ProtectSystem = lib.mkForce "strict";
serviceConfig.RemoveIPC = true;
# serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; #< TODO: try enabling?
serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
# serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; #< TODO: try enabling?
serviceConfig.SystemCallFilter = [ "@system-service" ];
};
sops.secrets."bitcoin.conf" = {