adapt systemd files of pricenode and seednode to haveno

- adapt systemd file for seednode to Haveno and improve hardening - adapt systemd file for pricenode to Haveno and improve hardening - some live hardening options might not have been added here
2024-12-22 20:19:21 +00:00 · 2022-08-04 11:04:49 +02:00 · 2022-08-04 11:04:49 +02:00 · 25b2d6591a
commit 25b2d6591a
parent 4325e3e0fb
3 changed files with 35 additions and 41 deletions
--- a/pricenode/haveno-pricenode.service
+++ b/pricenode/haveno-pricenode.service
@ -17,6 +17,9 @@ ProtectSystem=full
 NoNewPrivileges=true
 PrivateDevices=true
 MemoryDenyWriteExecute=false
+ProtectControlGroups=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true

 [Install]
 WantedBy=multi-user.target
--- a/seednode/bisq.service
+++ b/seednode/bisq.service
@ -1,41 +0,0 @@
-# install in /etc/systemd/system/bisq.service
-
-[Unit]
-Description=Bisq Node
-After=bitcoin.service
-#Requires=bitcoin.service
-#BindsTo=bitcoin.service
-
-[Service]
-SyslogIdentifier=bisq
-EnvironmentFile=/etc/default/bisq.env
-
-ExecStart=/bin/sh __BISQ_HOME__/__BISQ_REPO_NAME__/${BISQ_ENTRYPOINT} \
-          --userDataDir=${BISQ_HOME} \
-          --appName=${BISQ_APP_NAME} \
-          --baseCurrencyNetwork=${BISQ_BASE_CURRENCY} \
-          --maxConnections=${BISQ_MAX_CONNECTIONS} \
-          --maxMemory=${BISQ_MAX_MEMORY} \
-          --nodePort=${BISQ_NODE_PORT} \
-          --btcNodes=${BITCOIN_P2P_HOST}:${BITCOIN_P2P_PORT} \
-          --rpcBlockNotificationHost=${BITCOIN_RPC_BLOCKNOTIFY_HOST} \
-          --rpcBlockNotificationPort=${BITCOIN_RPC_BLOCKNOTIFY_PORT} \
-          --rpcHost=${BITCOIN_RPC_HOST} \
-          --rpcPort=${BITCOIN_RPC_PORT} \
-          --rpcUser=${BITCOIN_RPC_USER} \
-          --rpcPassword=${BITCOIN_RPC_PASS} \
-          --dumpBlockchainData=${BISQ_DUMP_BLOCKCHAIN} \
-          --dumpStatistics=${BISQ_DUMP_STATISTICS} \
-          --torControlPort=${BISQ_EXTERNAL_TOR_PORT} \
-
-ExecStop=/bin/kill ${MAINPID}
-Restart=on-failure
-
-ExecStartPre=+/bin/bash -c "if [ $BISQ_DUMP_BLOCKCHAIN = true ];then mount -t tmpfs none -o size=2000M,uid=bisq,gid=bisq $BISQ_HOME/$BISQ_APP_NAME/$BISQ_BASE_CURRENCY/db/json;else true;fi"
-ExecStopPost=+/bin/bash -c "if [ $BISQ_DUMP_BLOCKCHAIN = true ];then umount $BISQ_HOME/$BISQ_APP_NAME/$BISQ_BASE_CURRENCY/db/json;else true;fi"
-
-User=bisq
-Group=bisq
-
-[Install]
-WantedBy=multi-user.target
--- a/seednode/haveno-seednode.service
+++ b/seednode/haveno-seednode.service
@ -0,0 +1,32 @@
+[Unit]
+Description=Haveno seednode
+After=network.target
+
+[Service]
+User=haveno
+Group=haveno
+SyslogIdentifier=Haveno-Seednode
+
+# $PATH is a placeholder
+ExecStart=/bin/sh $PATH/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\
+  --useLocalhostForP2P=false\
+  --useDevPrivilegeKeys=false\
+  --nodePort=2002\
+  --appName=haveno-XMR_STAGENET_Seed_2002
+
+ExecStop=/bin/kill ${MAINPID}
+Restart=always
+
+# Hardening
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+MemoryDenyWriteExecute=false
+ProtectControlGroups=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+
+
+[Install]
+WantedBy=multi-user.target