aiolabs/nix-bitcoin
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

services: add finer-grained address family restrictions

Browse source 
Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.

bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.

lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.

lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
This commit is contained in:
Erik Arvstedt 2021-03-22 13:19:46 +01:00
parent 020433cec6
commit 08fe9ba84a
No known key found for this signature in database
GPG key ID: 33312B944DD97846
5 changed files with 16 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/bitcoind.nix
View file

@ -55,6 +55,8 @@ let
# Extra options
${cfg.extraConfig}
'';
zmqServerEnabled = (cfg.zmqpubrawblock != null) || (cfg.zmqpubrawtx != null);
in {
options = {
services.bitcoind = {
@ -358,7 +360,7 @@ in {
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = cfg.dataDir;
} // nbLib.allowedIPAddresses cfg.enforceTor
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
};
# Use this to update the banlist: