rename nix-bitcoin-services.nix -> lib.nix

2021-02-03 22:44:41 +01:00 · 2021-02-03 22:44:41 +01:00 · a26ed03d77
commit a26ed03d77
parent c0abae97a4
15 changed files with 81 additions and 81 deletions
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -0,0 +1,68 @@
+lib: pkgs:
+
+with lib;
+
+# See `man systemd.exec` and `man systemd.resource-control` for an explanation
+# of the systemd-related options available through this module.
+let self = {
+  # These settings roughly follow systemd's "strict" security profile
+  defaultHardening = {
+      PrivateTmp = "true";
+      ProtectSystem = "strict";
+      ProtectHome = "true";
+      NoNewPrivileges = "true";
+      PrivateDevices = "true";
+      MemoryDenyWriteExecute = "true";
+      ProtectKernelTunables = "true";
+      ProtectKernelModules = "true";
+      ProtectControlGroups = "true";
+      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      RestrictNamespaces = "true";
+      LockPersonality = "true";
+      IPAddressDeny = "any";
+      PrivateUsers = "true";
+      RestrictSUIDSGID = "true";
+      RemoveIPC = "true";
+      RestrictRealtime = "true";
+      ProtectHostname = "true";
+      CapabilityBoundingSet = "";
+      # @system-service whitelist and docker seccomp blacklist (except for "clone"
+      # which is a core requirement for systemd services)
+      SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
+      SystemCallArchitectures= "native";
+  };
+
+  # nodejs applications apparently rely on memory write execute
+  nodejs = { MemoryDenyWriteExecute = "false"; };
+  # Allow tor traffic. Allow takes precedence over Deny.
+  allowTor = {
+    IPAddressAllow = "127.0.0.1/32 ::1/128 169.254.0.0/16";
+  };
+  # Allow any traffic
+  allowAnyIP = { IPAddressAllow = "any"; };
+  allowAnyProtocol = { RestrictAddressFamilies = "~"; };
+
+  enforceTor = mkOption {
+    type = types.bool;
+    default = false;
+    description = ''
+      Whether to force Tor on a service by only allowing connections from and
+      to 127.0.0.1;
+    '';
+  };
+
+  script = src: pkgs.writers.writeBash "script" ''
+    set -eo pipefail
+    ${src}
+  '';
+
+  # Used for ExecStart*
+  privileged = src: "+${self.script src}";
+
+  cliExec = mkOption {
+    # Used by netns-isolation to execute the cli in the service's private netns
+    internal = true;
+    type = types.str;
+    default = "exec";
+  };
+}; in self