nix-bitcoin/modules/nix-bitcoin-services.nix

69 lines
2.2 KiB
Nix
Raw Normal View History

# See `man systemd.exec` and `man systemd.resource-control` for an explanation
# of the various systemd options available through this module.
lib: pkgs:
with lib;
let self = {
# These settings roughly follow systemd's "strict" security profile
defaultHardening = {
PrivateTmp = "true";
ProtectSystem = "strict";
ProtectHome = "true";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true";
LockPersonality = "true";
IPAddressDeny = "any";
PrivateUsers = "true";
RestrictSUIDSGID = "true";
RemoveIPC = "true";
RestrictRealtime = "true";
ProtectHostname = "true";
CapabilityBoundingSet = "";
# @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services)
SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
2019-05-01 08:20:31 +00:00
SystemCallArchitectures= "native";
};
# nodejs applications apparently rely on memory write execute
nodejs = { MemoryDenyWriteExecute = "false"; };
# Allow tor traffic. Allow takes precedence over Deny.
allowTor = {
IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
};
# Allow any traffic
allowAnyIP = { IPAddressAllow = "any"; };
allowAnyProtocol = { RestrictAddressFamilies = "~"; };
2019-08-07 12:52:34 +00:00
enforceTor = mkOption {
type = types.bool;
default = false;
description = ''
"Whether to force Tor on a service by only allowing connections from and
to 127.0.0.1;";
'';
};
script = src: pkgs.writers.writeBash "script" ''
set -eo pipefail
${src}
'';
# Used for ExecStart*
privileged = src: "+${self.script src}";
cliExec = mkOption {
# Used by netns-isolation to execute the cli in the service's private netns
internal = true;
type = types.str;
default = "exec";
};
}; in self