aiolabs/nix-bitcoin
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Move service hardening flags into separate file

Browse source
This commit is contained in:
Jonas Nick 2019-04-27 19:21:45 +00:00
parent 66095871c6
commit a089d65d25
No known key found for this signature in database
GPG key ID: 4861DBF262123605
11 changed files with 33 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/bitcoind.nix
View file

@ -3,6 +3,7 @@
with lib;
let
nix-bitcoin-services = import ./nix-bitcoin-services.nix;
cfg = config.services.bitcoind;
pidFile = "${cfg.dataDir}/bitcoind.pid";
configFile = pkgs.writeText "bitcoin.conf" ''
@ -235,7 +236,7 @@ in {
# Permission for preStart
PermissionsStartOnly = "true";
};
} // nix-bitcoin-services.defaultHardening;
};
systemd.services.bitcoind-import-banlist = {
description = "Bitcoin daemon banlist importer";
@ -269,16 +270,9 @@ in {
ExecStart = "${pkgs.bash}/bin/bash ${pkgs.banlist}/bin/banlist ${pkgs.altcoins.bitcoind}";
StateDirectory = "bitcoind";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
# Permission for preStart
PermissionsStartOnly = "true";
};
} // nix-bitcoin-services.defaultHardening;
};
users.users.${cfg.user} = {