apply hardening measures to all systemd services

PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true

SECURITY.md

@@ -49,6 +49,7 @@ Ensure that you put quotes around fingerprints containing spaces if importing wi
 # Physical Security
 
 * The lightning wallet and user interfaces are password protected by default so this has more privacy implications (in the case of physical theft) than security.
+* Basic hardening measures are applied to all systemd services
 * Optional log in through SSH using a hardware wallet.
 * LUKS encryption would be welcome in the future.
 

home.admin/assets/background.service

@@ -20,5 +20,11 @@ TimeoutSec=10
 RestartSec=10
 StandardOutput=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/assets/bitcoind.service

@@ -23,5 +23,11 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/assets/bootstrap.service

@@ -14,5 +14,11 @@ ExecStart=/home/admin/_bootstrap.sh
 StandardOutput=journal
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/assets/litecoind.service

@@ -23,5 +23,11 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/assets/lnd.service

@@ -24,5 +24,11 @@ RestartSec=60
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/config.scripts/bonus.btc-rpc-explorer.sh

@@ -207,6 +207,12 @@ User=btcrpcexplorer
 Restart=on-failure
 RestartSec=600
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.btcpayserver.sh

@@ -379,6 +379,7 @@ Type=simple
 PIDFile=/run/nbxplorer/nbxplorer.pid
 Restart=on-failure
 
+# Hardening measures
 PrivateTmp=true
 ProtectSystem=full
 NoNewPrivileges=true
@@ -461,6 +462,12 @@ Type=simple
 PIDFile=/run/btcpayserver/btcpayserver.pid
 Restart=on-failure
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/btcpayserver.service

home.admin/config.scripts/bonus.circuitbreaker.sh

@@ -106,6 +106,12 @@ TimeoutSec=60
 Restart=always
 RestartSec=60
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee -a /etc/systemd/system/circuitbreaker.service

home.admin/config.scripts/bonus.cryptoadvance-specter.sh

@@ -289,6 +289,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.electrs.sh

@@ -408,6 +408,12 @@ TimeoutSec=60
 Restart=always
 RestartSec=60
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
     " | sudo tee -a /etc/systemd/system/electrs.service

home.admin/config.scripts/bonus.faraday.sh

@@ -221,6 +221,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee -a /etc/systemd/system/faraday.service

home.admin/config.scripts/bonus.kindle-display.sh

@@ -127,6 +127,12 @@ Restart=on-failure
 StartLimitIntervalSec=600
 StartLimitBurst=2
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.lit.sh

@@ -291,6 +291,12 @@ TimeoutSec=60
 Restart=always
 RestartSec=60
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee -a /etc/systemd/system/litd.service

home.admin/config.scripts/bonus.lnbits.sh

@@ -328,6 +328,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.loop.sh

@@ -121,6 +121,12 @@ TimeoutSec=60
 Restart=always
 RestartSec=60
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee -a /etc/systemd/system/loopd.service

home.admin/config.scripts/bonus.mempool.sh

@@ -255,6 +255,12 @@ User=mempool
 Restart=on-failure
 RestartSec=600
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.pool.sh

@@ -119,6 +119,12 @@ TimeoutSec=60
 Restart=always
 RestartSec=60
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/poold.service

home.admin/config.scripts/bonus.rtl.sh

@@ -255,6 +255,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF
@@ -290,6 +296,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${netprefix}${typeprefix}RTL.service

home.admin/config.scripts/bonus.sphinxrelay.sh

@@ -442,6 +442,12 @@ RestartSec=30
 StandardOutput=journal
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 EOF

home.admin/config.scripts/bonus.thunderhub.sh

@@ -223,6 +223,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/thunderhub.service

home.admin/config.scripts/internet.sshtunnel.py

@@ -34,6 +34,12 @@ Environment="AUTOSSH_GATETIME=0"
 ExecStart=/usr/bin/autossh [MONITORING-PORT] -N -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=2 [PLACEHOLDER]
 StandardOutput=journal
 
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 """