Add security section to README
This commit is contained in:
parent
6f8dac6e07
commit
7fb1cc1e93
15
README.md
15
README.md
|
@ -1,7 +1,7 @@
|
||||||
nix-bitcoin
|
nix-bitcoin
|
||||||
===
|
===
|
||||||
|
|
||||||
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols.
|
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
|
||||||
This is a work in progress - don't expect it to be bug free or secure.
|
This is a work in progress - don't expect it to be bug free or secure.
|
||||||
|
|
||||||
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
|
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
|
||||||
|
@ -49,6 +49,19 @@ The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin di
|
||||||
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
|
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
|
||||||
See [install.md](docs/install.md) for a detailed tutorial.
|
See [install.md](docs/install.md) for a detailed tutorial.
|
||||||
|
|
||||||
|
Security
|
||||||
|
---
|
||||||
|
* Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches.
|
||||||
|
* Builds happen in a [sandboxed environment](https://nixos.org/nix/manual/).
|
||||||
|
* Packages dependencies are [pinned](pkgs/nixpkgs-pinned.nix). Most packages are built from the [nixos stable channel](https://github.com/NixOS/nixpkgs-channels/tree/nixos-19.03), with a few exceptions that are built from the nixpkgs unstable channel.
|
||||||
|
* nix-bitcoin merge commits are signed.
|
||||||
|
* nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default.
|
||||||
|
* Services operate with least privileges. They each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix).
|
||||||
|
* There's a non-root user *operator* to interact with the various services.
|
||||||
|
|
||||||
|
Note that nix-bitcoin is still experimental.
|
||||||
|
Also, by design if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself.
|
||||||
|
|
||||||
Hardware requirements
|
Hardware requirements
|
||||||
---
|
---
|
||||||
* Disk space: 300 GB (235GB for Bitcoin blockchain + some room)
|
* Disk space: 300 GB (235GB for Bitcoin blockchain + some room)
|
||||||
|
|
|
@ -165,6 +165,10 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
|
||||||
swapon /dev/sda2
|
swapon /dev/sda2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
4. Option 3: Set up encrypted partitions:
|
||||||
|
|
||||||
|
Follow the guide at https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134.
|
||||||
|
|
||||||
5. Generate NixOS config
|
5. Generate NixOS config
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -207,7 +207,6 @@ in {
|
||||||
};
|
};
|
||||||
users.users.${cfg.user} = {
|
users.users.${cfg.user} = {
|
||||||
name = cfg.user;
|
name = cfg.user;
|
||||||
#uid = config.ids.uids.liquid;
|
|
||||||
group = cfg.group;
|
group = cfg.group;
|
||||||
extraGroups = [ "keys" ];
|
extraGroups = [ "keys" ];
|
||||||
description = "Liquid daemon user";
|
description = "Liquid daemon user";
|
||||||
|
@ -215,7 +214,6 @@ in {
|
||||||
};
|
};
|
||||||
users.groups.${cfg.group} = {
|
users.groups.${cfg.group} = {
|
||||||
name = cfg.group;
|
name = cfg.group;
|
||||||
#gid = config.ids.gids.liquid;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user