Add security section to README

This commit is contained in:
Jonas Nick 2019-04-28 13:11:53 +00:00
parent 6f8dac6e07
commit 7fb1cc1e93
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
3 changed files with 18 additions and 3 deletions

View File

@ -1,7 +1,7 @@
nix-bitcoin nix-bitcoin
=== ===
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols. Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
This is a work in progress - don't expect it to be bug free or secure. This is a work in progress - don't expect it to be bug free or secure.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
@ -49,6 +49,19 @@ The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin di
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell. Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
See [install.md](docs/install.md) for a detailed tutorial. See [install.md](docs/install.md) for a detailed tutorial.
Security
---
* Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches.
* Builds happen in a [sandboxed environment](https://nixos.org/nix/manual/).
* Packages dependencies are [pinned](pkgs/nixpkgs-pinned.nix). Most packages are built from the [nixos stable channel](https://github.com/NixOS/nixpkgs-channels/tree/nixos-19.03), with a few exceptions that are built from the nixpkgs unstable channel.
* nix-bitcoin merge commits are signed.
* nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default.
* Services operate with least privileges. They each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix).
* There's a non-root user *operator* to interact with the various services.
Note that nix-bitcoin is still experimental.
Also, by design if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself.
Hardware requirements Hardware requirements
--- ---
* Disk space: 300 GB (235GB for Bitcoin blockchain + some room) * Disk space: 300 GB (235GB for Bitcoin blockchain + some room)

View File

@ -165,6 +165,10 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
swapon /dev/sda2 swapon /dev/sda2
``` ```
4. Option 3: Set up encrypted partitions:
Follow the guide at https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134.
5. Generate NixOS config 5. Generate NixOS config
``` ```

View File

@ -207,7 +207,6 @@ in {
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
name = cfg.user; name = cfg.user;
#uid = config.ids.uids.liquid;
group = cfg.group; group = cfg.group;
extraGroups = [ "keys" ]; extraGroups = [ "keys" ];
description = "Liquid daemon user"; description = "Liquid daemon user";
@ -215,7 +214,6 @@ in {
}; };
users.groups.${cfg.group} = { users.groups.${cfg.group} = {
name = cfg.group; name = cfg.group;
#gid = config.ids.gids.liquid;
}; };
}; };
} }