feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege
- Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -261,7 +261,8 @@ prune=550
|
||||
rpcuser=archipelago
|
||||
rpcpassword=$BTC_RPC_PASS
|
||||
rpcbind=0.0.0.0
|
||||
rpcallowip=0.0.0.0/0
|
||||
rpcallowip=127.0.0.1/32
|
||||
rpcallowip=10.88.0.0/16
|
||||
rpcport=8332
|
||||
listen=1
|
||||
printtoconsole=1
|
||||
|
||||
@@ -51,7 +51,7 @@ sudo podman run -d \
|
||||
docker.io/bitcoinknots/bitcoin:latest \
|
||||
-server=1 \
|
||||
-txindex=1 \
|
||||
-rpcallowip=0.0.0.0/0 \
|
||||
-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 \
|
||||
-rpcbind=0.0.0.0:8332 \
|
||||
-rpcuser=archipelago \
|
||||
-rpcpassword=$BITCOIN_RPC_PASS \
|
||||
|
||||
@@ -810,7 +810,7 @@ MANIFEST_EOF
|
||||
-v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
|
||||
docker.io/bitcoinknots/bitcoin:latest \
|
||||
-server=1 \$BTC_EXTRA_ARGS \
|
||||
-rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
|
||||
-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
|
||||
-rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
|
||||
-dbcache=\$BTC_DBCACHE
|
||||
echo ' Bitcoin Knots started (sync may take hours)'
|
||||
|
||||
@@ -137,7 +137,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'bitcoin-knots|arch
|
||||
-v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
|
||||
docker.io/bitcoinknots/bitcoin:latest \
|
||||
-server=1 $BTC_EXTRA_ARGS \
|
||||
-rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
|
||||
-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
|
||||
-rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
|
||||
-dbcache=$BTC_DBCACHE 2>>"$LOG"; then
|
||||
log "Bitcoin Knots started"
|
||||
@@ -506,11 +506,15 @@ fi
|
||||
if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q tailscale; then
|
||||
log "Creating Tailscale..."
|
||||
mkdir -p /var/lib/archipelago/tailscale
|
||||
# Tailscale requires --privileged for TUN/iptables/routing table access
|
||||
# Tailscale needs NET_ADMIN + NET_RAW + TUN device (no --privileged)
|
||||
$DOCKER run -d --name tailscale --restart unless-stopped \
|
||||
--network host --privileged \
|
||||
--cap-add NET_ADMIN --cap-add NET_RAW \
|
||||
--device=/dev/net/tun \
|
||||
--network host \
|
||||
--cap-drop=ALL \
|
||||
--cap-add=NET_ADMIN \
|
||||
--cap-add=NET_RAW \
|
||||
--device=/dev/net/tun:/dev/net/tun \
|
||||
--read-only \
|
||||
--tmpfs /tmp \
|
||||
-v /var/lib/archipelago/tailscale:/var/lib/tailscale \
|
||||
-e TS_STATE_DIR=/var/lib/tailscale \
|
||||
docker.io/tailscale/tailscale:stable \
|
||||
|
||||
Reference in New Issue
Block a user