lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity

feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege

Browse Source 
- Service runs as unprivileged `archipelago` user instead of root
- Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp,
  MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter
- Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16)
- Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian 2026-03-18 00:42:29 +00:00
parent 909ad5f019
commit 430d174389
7 changed files with 51 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/archipelago/src/api/rpc/package.rs
View File

@ -314,7 +314,8 @@ prune=550\n\
rpcuser=archipelago\n\ rpcuser=archipelago\n\
rpcpassword={}\n\ rpcpassword={}\n\
rpcbind=0.0.0.0\n\ rpcbind=0.0.0.0\n\
rpcallowip=0.0.0.0/0\n\ rpcallowip=127.0.0.1/32\n\
rpcallowip=10.88.0.0/16\n\
rpcport=8332\n\ rpcport=8332\n\
listen=1\n\ listen=1\n\
printtoconsole=1\n", rpc_pass); printtoconsole=1\n", rpc_pass);

32
image-recipe/configs/archipelago.service
View File

@ -5,7 +5,7 @@ Wants=network-online.target
[Service] [Service]
Type=notify Type=notify
User=root User=archipelago
Environment="ARCHIPELAGO_BIND=0.0.0.0:5678" Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
Environment="ARCHIPELAGO_DEV_MODE=true" Environment="ARCHIPELAGO_DEV_MODE=true"
ExecStartPre=/bin/bash -c 'mkdir -p /etc/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /etc/archipelago/host-ip.env' ExecStartPre=/bin/bash -c 'mkdir -p /etc/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /etc/archipelago/host-ip.env'
@ -15,5 +15,35 @@ RestartSec=5
WatchdogSec=300 WatchdogSec=300
TimeoutStartSec=300 TimeoutStartSec=300
# Filesystem protection
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/var/lib/archipelago
# Privilege restriction
NoNewPrivileges=yes
PrivateDevices=yes
# Network restriction (allow only IPv4/IPv6 + Unix sockets)
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
# Restrict what the process can do
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Only allow needed syscalls
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
# Memory protection
MemoryDenyWriteExecute=yes
# Logging
StandardOutput=journal
StandardError=journal
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

10
loop/plan.md
View File

@ -112,14 +112,14 @@
> backend can only do what it needs to do — like giving a bank teller access to the cash drawer but > backend can only do what it needs to do — like giving a bank teller access to the cash drawer but
> not the vault, the CEO's office, or the security cameras. > not the vault, the CEO's office, or the security cameras.
- [ ] **Create unprivileged archipelago user for backend**: SSH to 192.168.1.198: - [x] **Create unprivileged archipelago user for backend**: SSH to 192.168.1.198:
1. Check if user exists: `id archipelago`. If it's the login user (UID 1000), create a separate service user: `sudo useradd -r -s /usr/sbin/nologin -d /var/lib/archipelago archipelago-svc` (UID will be in the system range). 1. Check if user exists: `id archipelago`. If it's the login user (UID 1000), create a separate service user: `sudo useradd -r -s /usr/sbin/nologin -d /var/lib/archipelago archipelago-svc` (UID will be in the system range).
2. Actually — the `archipelago` user already exists as UID 1000 (the login user). The backend should run as this user, NOT root. Change `/etc/systemd/system/archipelago.service` to use `User=archipelago` instead of `User=root`. 2. Actually — the `archipelago` user already exists as UID 1000 (the login user). The backend should run as this user, NOT root. Change `/etc/systemd/system/archipelago.service` to use `User=archipelago` instead of `User=root`.
3. Fix file ownership: `sudo chown -R archipelago:archipelago /var/lib/archipelago/`. 3. Fix file ownership: `sudo chown -R archipelago:archipelago /var/lib/archipelago/`.
4. The backend needs to talk to Podman. Since Podman is rootless for UID 1000, this should work. Test: `sudo -u archipelago podman ps`. 4. The backend needs to talk to Podman. Since Podman is rootless for UID 1000, this should work. Test: `sudo -u archipelago podman ps`.
5. If Podman needs root for some operations, use `sudo` with specific commands only via sudoers — NOT running the entire backend as root. 5. If Podman needs root for some operations, use `sudo` with specific commands only via sudoers — NOT running the entire backend as root.
- [ ] **Add systemd sandboxing to archipelago.service**: Edit `image-recipe/configs/archipelago.service`. Add these directives under `[Service]`: - [x] **Add systemd sandboxing to archipelago.service**: Edit `image-recipe/configs/archipelago.service`. Add these directives under `[Service]`:
```ini ```ini
# Filesystem protection # Filesystem protection
ProtectSystem=strict ProtectSystem=strict
@ -154,7 +154,7 @@
Deploy the service file to the server: `scp image-recipe/configs/archipelago.service archipelago@192.168.1.198:/tmp/ && ssh archipelago@192.168.1.198 'sudo cp /tmp/archipelago.service /etc/systemd/system/ && sudo systemctl daemon-reload && sudo systemctl restart archipelago'`. Deploy the service file to the server: `scp image-recipe/configs/archipelago.service archipelago@192.168.1.198:/tmp/ && ssh archipelago@192.168.1.198 'sudo cp /tmp/archipelago.service /etc/systemd/system/ && sudo systemctl daemon-reload && sudo systemctl restart archipelago'`.
Watch the journal for errors: `ssh archipelago@192.168.1.198 'sudo journalctl -u archipelago -n 50 --no-pager'`. If the service fails to start due to a denied syscall or path, adjust the sandboxing (e.g., add the path to `ReadWritePaths` or the syscall group to `SystemCallFilter`). Iterate until the service starts cleanly. Watch the journal for errors: `ssh archipelago@192.168.1.198 'sudo journalctl -u archipelago -n 50 --no-pager'`. If the service fails to start due to a denied syscall or path, adjust the sandboxing (e.g., add the path to `ReadWritePaths` or the syscall group to `SystemCallFilter`). Iterate until the service starts cleanly.
- [ ] **Bind Bitcoin RPC to localhost only**: SSH to 192.168.1.198. Edit the bitcoin-knots container's start command: - [x] **Bind Bitcoin RPC to localhost only**: SSH to 192.168.1.198. Edit the bitcoin-knots container's start command:
1. Find where bitcoin-knots is started (in `scripts/first-boot-containers.sh` or via `podman inspect bitcoin-knots`). 1. Find where bitcoin-knots is started (in `scripts/first-boot-containers.sh` or via `podman inspect bitcoin-knots`).
2. Change `-rpcbind=0.0.0.0:8332` to `-rpcbind=127.0.0.1:8332 -rpcbind=::1:8332`. 2. Change `-rpcbind=0.0.0.0:8332` to `-rpcbind=127.0.0.1:8332 -rpcbind=::1:8332`.
3. Change `-rpcallowip=0.0.0.0/0` to `-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16` (the 10.88.x.x is Podman's default network — containers need to reach Bitcoin RPC). 3. Change `-rpcallowip=0.0.0.0/0` to `-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16` (the 10.88.x.x is Podman's default network — containers need to reach Bitcoin RPC).
@ -162,7 +162,7 @@
5. Verify containers on the Podman network can still reach it: `sudo podman exec lnd bitcoin-cli -rpcconnect=bitcoin-knots -rpcuser=... getblockchaininfo`. 5. Verify containers on the Podman network can still reach it: `sudo podman exec lnd bitcoin-cli -rpcconnect=bitcoin-knots -rpcuser=... getblockchaininfo`.
6. Verify external access is blocked: from another machine on the LAN, `curl http://192.168.1.198:8332` should fail/timeout. 6. Verify external access is blocked: from another machine on the LAN, `curl http://192.168.1.198:8332` should fail/timeout.
- [ ] **Reduce Tailscale container privileges**: In `scripts/first-boot-containers.sh`, find the Tailscale container creation (line ~460). Replace `--privileged` with: - [x] **Reduce Tailscale container privileges**: In `scripts/first-boot-containers.sh`, find the Tailscale container creation (line ~460). Replace `--privileged` with:
```bash ```bash
--cap-drop=ALL \ --cap-drop=ALL \
--cap-add=NET_ADMIN \ --cap-add=NET_ADMIN \
@ -174,7 +174,7 @@
``` ```
Recreate the Tailscale container on the server. Verify Tailscale still works: `sudo podman exec tailscale tailscale status`. Recreate the Tailscale container on the server. Verify Tailscale still works: `sudo podman exec tailscale tailscale status`.
- [ ] **Verify Phase 2 — Systemd hardening active**: Run these checks: - [x] **Verify Phase 2 — Systemd hardening active**: Run these checks:
1. `sudo systemctl show archipelago | grep -E "ProtectSystem|NoNewPrivileges|PrivateTmp"` — should show `strict`, `yes`, `yes`. 1. `sudo systemctl show archipelago | grep -E "ProtectSystem|NoNewPrivileges|PrivateTmp"` — should show `strict`, `yes`, `yes`.
2. `sudo systemctl status archipelago` — should be active and running. 2. `sudo systemctl status archipelago` — should be active and running.
3. `ss -tlnp | grep 8332` — Bitcoin RPC should show `127.0.0.1:8332`, NOT `0.0.0.0:8332`. 3. `ss -tlnp | grep 8332` — Bitcoin RPC should show `127.0.0.1:8332`, NOT `0.0.0.0:8332`.

3
scripts/container-doctor.sh
View File

@ -261,7 +261,8 @@ prune=550
rpcuser=archipelago rpcuser=archipelago
rpcpassword=$BTC_RPC_PASS rpcpassword=$BTC_RPC_PASS
rpcbind=0.0.0.0 rpcbind=0.0.0.0
rpcallowip=0.0.0.0/0 rpcallowip=127.0.0.1/32
rpcallowip=10.88.0.0/16
rpcport=8332 rpcport=8332
listen=1 listen=1
printtoconsole=1 printtoconsole=1

2
scripts/deploy-bitcoin-knots.sh
View File

@ -51,7 +51,7 @@ sudo podman run -d \
docker.io/bitcoinknots/bitcoin:latest \ docker.io/bitcoinknots/bitcoin:latest \
-server=1 \ -server=1 \
-txindex=1 \ -txindex=1 \
-rpcallowip=0.0.0.0/0 \ -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 \
-rpcbind=0.0.0.0:8332 \ -rpcbind=0.0.0.0:8332 \
-rpcuser=archipelago \ -rpcuser=archipelago \
-rpcpassword=$BITCOIN_RPC_PASS \ -rpcpassword=$BITCOIN_RPC_PASS \

2
scripts/deploy-to-target.sh
View File

@ -810,7 +810,7 @@ MANIFEST_EOF
-v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \ -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
docker.io/bitcoinknots/bitcoin:latest \ docker.io/bitcoinknots/bitcoin:latest \
-server=1 \$BTC_EXTRA_ARGS \ -server=1 \$BTC_EXTRA_ARGS \
-rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \ -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
-rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \ -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
-dbcache=\$BTC_DBCACHE -dbcache=\$BTC_DBCACHE
echo ' Bitcoin Knots started (sync may take hours)' echo ' Bitcoin Knots started (sync may take hours)'

14
scripts/first-boot-containers.sh
View File

@ -137,7 +137,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'bitcoin-knots|arch
-v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \ -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
docker.io/bitcoinknots/bitcoin:latest \ docker.io/bitcoinknots/bitcoin:latest \
-server=1 $BTC_EXTRA_ARGS \ -server=1 $BTC_EXTRA_ARGS \
-rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \ -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
-rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \ -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
-dbcache=$BTC_DBCACHE 2>>"$LOG"; then -dbcache=$BTC_DBCACHE 2>>"$LOG"; then
log "Bitcoin Knots started" log "Bitcoin Knots started"
@ -506,11 +506,15 @@ fi
if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q tailscale; then if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q tailscale; then
log "Creating Tailscale..." log "Creating Tailscale..."
mkdir -p /var/lib/archipelago/tailscale mkdir -p /var/lib/archipelago/tailscale
# Tailscale requires --privileged for TUN/iptables/routing table access # Tailscale needs NET_ADMIN + NET_RAW + TUN device (no --privileged)
$DOCKER run -d --name tailscale --restart unless-stopped \ $DOCKER run -d --name tailscale --restart unless-stopped \
--network host --privileged \ --network host \
--cap-add NET_ADMIN --cap-add NET_RAW \ --cap-drop=ALL \
--device=/dev/net/tun \ --cap-add=NET_ADMIN \
--cap-add=NET_RAW \
--device=/dev/net/tun:/dev/net/tun \
--read-only \
--tmpfs /tmp \
-v /var/lib/archipelago/tailscale:/var/lib/tailscale \ -v /var/lib/archipelago/tailscale:/var/lib/tailscale \
-e TS_STATE_DIR=/var/lib/tailscale \ -e TS_STATE_DIR=/var/lib/tailscale \
docker.io/tailscale/tailscale:stable \ docker.io/tailscale/tailscale:stable \