From 25b2d6591ab4d919b5fdcf0faa7d4bd73532eee3 Mon Sep 17 00:00:00 2001 From: erciccione Date: Thu, 4 Aug 2022 11:04:49 +0200 Subject: [PATCH] adapt systemd files of pricenode and seednode to haveno - adapt systemd file for seednode to Haveno and improve hardening - adapt systemd file for pricenode to Haveno and improve hardening - some live hardening options might not have been added here --- pricenode/haveno-pricenode.service | 3 +++ seednode/bisq.service | 41 ------------------------------ seednode/haveno-seednode.service | 32 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 41 deletions(-) delete mode 100644 seednode/bisq.service create mode 100644 seednode/haveno-seednode.service diff --git a/pricenode/haveno-pricenode.service b/pricenode/haveno-pricenode.service index 2b17ff6766..6aa1a1b86f 100644 --- a/pricenode/haveno-pricenode.service +++ b/pricenode/haveno-pricenode.service @@ -17,6 +17,9 @@ ProtectSystem=full NoNewPrivileges=true PrivateDevices=true MemoryDenyWriteExecute=false +ProtectControlGroups=true +ProtectKernelTunables=true +RestrictSUIDSGID=true [Install] WantedBy=multi-user.target diff --git a/seednode/bisq.service b/seednode/bisq.service deleted file mode 100644 index a87710612d..0000000000 --- a/seednode/bisq.service +++ /dev/null @@ -1,41 +0,0 @@ -# install in /etc/systemd/system/bisq.service - -[Unit] -Description=Bisq Node -After=bitcoin.service -#Requires=bitcoin.service -#BindsTo=bitcoin.service - -[Service] -SyslogIdentifier=bisq -EnvironmentFile=/etc/default/bisq.env - -ExecStart=/bin/sh __BISQ_HOME__/__BISQ_REPO_NAME__/${BISQ_ENTRYPOINT} \ - --userDataDir=${BISQ_HOME} \ - --appName=${BISQ_APP_NAME} \ - --baseCurrencyNetwork=${BISQ_BASE_CURRENCY} \ - --maxConnections=${BISQ_MAX_CONNECTIONS} \ - --maxMemory=${BISQ_MAX_MEMORY} \ - --nodePort=${BISQ_NODE_PORT} \ - --btcNodes=${BITCOIN_P2P_HOST}:${BITCOIN_P2P_PORT} \ - --rpcBlockNotificationHost=${BITCOIN_RPC_BLOCKNOTIFY_HOST} \ - --rpcBlockNotificationPort=${BITCOIN_RPC_BLOCKNOTIFY_PORT} \ - --rpcHost=${BITCOIN_RPC_HOST} \ - --rpcPort=${BITCOIN_RPC_PORT} \ - --rpcUser=${BITCOIN_RPC_USER} \ - --rpcPassword=${BITCOIN_RPC_PASS} \ - --dumpBlockchainData=${BISQ_DUMP_BLOCKCHAIN} \ - --dumpStatistics=${BISQ_DUMP_STATISTICS} \ - --torControlPort=${BISQ_EXTERNAL_TOR_PORT} \ - -ExecStop=/bin/kill ${MAINPID} -Restart=on-failure - -ExecStartPre=+/bin/bash -c "if [ $BISQ_DUMP_BLOCKCHAIN = true ];then mount -t tmpfs none -o size=2000M,uid=bisq,gid=bisq $BISQ_HOME/$BISQ_APP_NAME/$BISQ_BASE_CURRENCY/db/json;else true;fi" -ExecStopPost=+/bin/bash -c "if [ $BISQ_DUMP_BLOCKCHAIN = true ];then umount $BISQ_HOME/$BISQ_APP_NAME/$BISQ_BASE_CURRENCY/db/json;else true;fi" - -User=bisq -Group=bisq - -[Install] -WantedBy=multi-user.target diff --git a/seednode/haveno-seednode.service b/seednode/haveno-seednode.service new file mode 100644 index 0000000000..7551c54fea --- /dev/null +++ b/seednode/haveno-seednode.service @@ -0,0 +1,32 @@ +[Unit] +Description=Haveno seednode +After=network.target + +[Service] +User=haveno +Group=haveno +SyslogIdentifier=Haveno-Seednode + +# $PATH is a placeholder +ExecStart=/bin/sh $PATH/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\ + --useLocalhostForP2P=false\ + --useDevPrivilegeKeys=false\ + --nodePort=2002\ + --appName=haveno-XMR_STAGENET_Seed_2002 + +ExecStop=/bin/kill ${MAINPID} +Restart=always + +# Hardening +PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +MemoryDenyWriteExecute=false +ProtectControlGroups=true +ProtectKernelTunables=true +RestrictSUIDSGID=true + + +[Install] +WantedBy=multi-user.target