chore: harden systemd files

chainflip-io · Sep 12, 2023 · 48a6d11 · 48a6d11
1 parent 2d6f046
commit 48a6d11
Show file tree

Hide file tree

Showing 9 changed files with 315 additions and 14 deletions.
diff --git a/state-chain/node/package/development/chainflip-archive-node.service b/state-chain/node/package/development/chainflip-archive-node.service
@@ -4,7 +4,11 @@ Description=Chainflip Archive Node
 [Service]
 Restart=always
 RestartSec=30
-Type=simple
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
 
 ExecStart=/usr/bin/chainflip-node \
     --chain=/etc/chainflip/development.chainspec.json \
@@ -19,5 +23,30 @@ ExecStart=/usr/bin/chainflip-node \
     --unsafe-rpc-external \
     --sync=full
 
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/development/chainflip-genesis-node.service b/state-chain/node/package/development/chainflip-genesis-node.service
@@ -1,10 +1,14 @@
 [Unit]
-Description=Chainflip Archive Node
+Description=Chainflip Genesis Node
 
 [Service]
 Restart=always
 RestartSec=30
-Type=simple
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
 
 ExecStart=/usr/bin/chainflip-node \
     --chain=/etc/chainflip/development.chainspec.json \
@@ -14,5 +18,30 @@ ExecStart=/usr/bin/chainflip-node \
     --trie-cache-size=0 \
     --sync=full
 
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/development/chainflip-node.service b/state-chain/node/package/development/chainflip-node.service
@@ -6,6 +6,11 @@ Restart=always
 RestartSec=30
 Type=simple
 
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
+
 ExecStart=/usr/bin/chainflip-node \
   --chain=/etc/chainflip/development.chainspec.json \
   --base-path=/etc/chainflip/chaindata \
@@ -14,5 +19,30 @@ ExecStart=/usr/bin/chainflip-node \
   --trie-cache-size=0 \
   --sync=warp
 
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/perseverance/chainflip-archive-node.service b/state-chain/node/package/perseverance/chainflip-archive-node.service
@@ -4,7 +4,11 @@ Description=Chainflip Archive Node
 [Service]
 Restart=always
 RestartSec=30
-Type=simple
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
 
 ExecStart=/usr/bin/chainflip-node \
     --chain=/etc/chainflip/perseverance.chainspec.json \
@@ -19,5 +23,30 @@ ExecStart=/usr/bin/chainflip-node \
     --unsafe-rpc-external \
     --sync=full
 
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/perseverance/chainflip-genesis-node.service b/state-chain/node/package/perseverance/chainflip-genesis-node.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=Chainflip Genesis Node
+
+[Service]
+Restart=always
+RestartSec=30
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
+
+ExecStart=/usr/bin/chainflip-node \
+    --chain=/etc/chainflip/perseverance.chainspec.json \
+    --base-path=/etc/chainflip/chaindata \
+    --node-key-file=/etc/chainflip/keys/node_key_file \
+    --validator \
+    --trie-cache-size=0 \
+    --sync=full
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/state-chain/node/package/perseverance/chainflip-node.service b/state-chain/node/package/perseverance/chainflip-node.service
@@ -6,12 +6,43 @@ Restart=always
 RestartSec=30
 Type=simple
 
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
+
 ExecStart=/usr/bin/chainflip-node \
-  --chain /etc/chainflip/perseverance.chainspec.json \
-  --base-path /etc/chainflip/chaindata \
-  --node-key-file /etc/chainflip/keys/node_key_file \
+  --chain=/etc/chainflip/perseverance.chainspec.json \
+  --base-path=/etc/chainflip/chaindata \
+  --node-key-file=/etc/chainflip/keys/node_key_file \
   --validator \
-  --trie-cache-size 0
+  --trie-cache-size=0 \
+  --sync=warp
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
 
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/sisyphos/chainflip-archive-node.service b/state-chain/node/package/sisyphos/chainflip-archive-node.service
@@ -4,7 +4,11 @@ Description=Chainflip Archive Node
 [Service]
 Restart=always
 RestartSec=30
-Type=simple
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
 
 ExecStart=/usr/bin/chainflip-node \
     --chain=/etc/chainflip/sisyphos.chainspec.json \
@@ -19,5 +23,30 @@ ExecStart=/usr/bin/chainflip-node \
     --unsafe-rpc-external \
     --sync=full
 
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
diff --git a/state-chain/node/package/sisyphos/chainflip-genesis-node.service b/state-chain/node/package/sisyphos/chainflip-genesis-node.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=Chainflip Genesis Node
+
+[Service]
+Restart=always
+RestartSec=30
+
+User=flip
+Group=flip
+
+WorkingDirectory=/etc/chainflip
+
+ExecStart=/usr/bin/chainflip-node \
+    --chain=/etc/chainflip/sisyphos.chainspec.json \
+    --base-path=/etc/chainflip/chaindata \
+    --node-key-file=/etc/chainflip/keys/node_key_file \
+    --validator \
+    --trie-cache-size=0 \
+    --sync=full
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+
+ProtectClock=yes
+ProtectHome=true
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target