feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege

- Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:42:29 +00:00 · 2026-03-18 00:42:29 +00:00 · 430d174389
commit 430d174389
parent 909ad5f019
7 changed files with 51 additions and 15 deletions
--- a/core/archipelago/src/api/rpc/package.rs
+++ b/core/archipelago/src/api/rpc/package.rs
@ -314,7 +314,8 @@ prune=550\n\
 rpcuser=archipelago\n\
 rpcpassword={}\n\
 rpcbind=0.0.0.0\n\
-rpcallowip=0.0.0.0/0\n\
+rpcallowip=127.0.0.1/32\n\
+rpcallowip=10.88.0.0/16\n\
 rpcport=8332\n\
 listen=1\n\
 printtoconsole=1\n", rpc_pass);
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@ -5,7 +5,7 @@ Wants=network-online.target

 [Service]
 Type=notify
-User=root
+User=archipelago
 Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
 Environment="ARCHIPELAGO_DEV_MODE=true"
 ExecStartPre=/bin/bash -c 'mkdir -p /etc/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /etc/archipelago/host-ip.env'
@ -15,5 +15,35 @@ RestartSec=5
 WatchdogSec=300
 TimeoutStartSec=300

+# Filesystem protection
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/var/lib/archipelago
+
+# Privilege restriction
+NoNewPrivileges=yes
+PrivateDevices=yes
+
+# Network restriction (allow only IPv4/IPv6 + Unix sockets)
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Restrict what the process can do
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# Only allow needed syscalls
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+
+# Memory protection
+MemoryDenyWriteExecute=yes
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
--- a/loop/plan.md
+++ b/loop/plan.md
@ -112,14 +112,14 @@
 > backend can only do what it needs to do — like giving a bank teller access to the cash drawer but
 > not the vault, the CEO's office, or the security cameras.

- [ ] **Create unprivileged archipelago user for backend**: SSH to 192.168.1.198:
+- [x] **Create unprivileged archipelago user for backend**: SSH to 192.168.1.198:
  1. Check if user exists: `id archipelago`. If it's the login user (UID 1000), create a separate service user: `sudo useradd -r -s /usr/sbin/nologin -d /var/lib/archipelago archipelago-svc` (UID will be in the system range).
  2. Actually — the `archipelago` user already exists as UID 1000 (the login user). The backend should run as this user, NOT root. Change `/etc/systemd/system/archipelago.service` to use `User=archipelago` instead of `User=root`.
  3. Fix file ownership: `sudo chown -R archipelago:archipelago /var/lib/archipelago/`.
  4. The backend needs to talk to Podman. Since Podman is rootless for UID 1000, this should work. Test: `sudo -u archipelago podman ps`.
  5. If Podman needs root for some operations, use `sudo` with specific commands only via sudoers — NOT running the entire backend as root.

- [ ] **Add systemd sandboxing to archipelago.service**: Edit `image-recipe/configs/archipelago.service`. Add these directives under `[Service]`:
+- [x] **Add systemd sandboxing to archipelago.service**: Edit `image-recipe/configs/archipelago.service`. Add these directives under `[Service]`:
  ```ini
  # Filesystem protection
  ProtectSystem=strict
@ -154,7 +154,7 @@
  Deploy the service file to the server: `scp image-recipe/configs/archipelago.service archipelago@192.168.1.198:/tmp/ && ssh archipelago@192.168.1.198 'sudo cp /tmp/archipelago.service /etc/systemd/system/ && sudo systemctl daemon-reload && sudo systemctl restart archipelago'`.
  Watch the journal for errors: `ssh archipelago@192.168.1.198 'sudo journalctl -u archipelago -n 50 --no-pager'`. If the service fails to start due to a denied syscall or path, adjust the sandboxing (e.g., add the path to `ReadWritePaths` or the syscall group to `SystemCallFilter`). Iterate until the service starts cleanly.

- [ ] **Bind Bitcoin RPC to localhost only**: SSH to 192.168.1.198. Edit the bitcoin-knots container's start command:
+- [x] **Bind Bitcoin RPC to localhost only**: SSH to 192.168.1.198. Edit the bitcoin-knots container's start command:
  1. Find where bitcoin-knots is started (in `scripts/first-boot-containers.sh` or via `podman inspect bitcoin-knots`).
  2. Change `-rpcbind=0.0.0.0:8332` to `-rpcbind=127.0.0.1:8332 -rpcbind=::1:8332`.
  3. Change `-rpcallowip=0.0.0.0/0` to `-rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16` (the 10.88.x.x is Podman's default network — containers need to reach Bitcoin RPC).
@ -162,7 +162,7 @@
  5. Verify containers on the Podman network can still reach it: `sudo podman exec lnd bitcoin-cli -rpcconnect=bitcoin-knots -rpcuser=... getblockchaininfo`.
  6. Verify external access is blocked: from another machine on the LAN, `curl http://192.168.1.198:8332` should fail/timeout.

- [ ] **Reduce Tailscale container privileges**: In `scripts/first-boot-containers.sh`, find the Tailscale container creation (line ~460). Replace `--privileged` with:
+- [x] **Reduce Tailscale container privileges**: In `scripts/first-boot-containers.sh`, find the Tailscale container creation (line ~460). Replace `--privileged` with:
  ```bash
  --cap-drop=ALL \
  --cap-add=NET_ADMIN \
@ -174,7 +174,7 @@
  ```
  Recreate the Tailscale container on the server. Verify Tailscale still works: `sudo podman exec tailscale tailscale status`.

- [ ] **Verify Phase 2 — Systemd hardening active**: Run these checks:
+- [x] **Verify Phase 2 — Systemd hardening active**: Run these checks:
  1. `sudo systemctl show archipelago | grep -E "ProtectSystem|NoNewPrivileges|PrivateTmp"` — should show `strict`, `yes`, `yes`.
  2. `sudo systemctl status archipelago` — should be active and running.
  3. `ss -tlnp | grep 8332` — Bitcoin RPC should show `127.0.0.1:8332`, NOT `0.0.0.0:8332`.
--- a/scripts/container-doctor.sh
+++ b/scripts/container-doctor.sh
@ -261,7 +261,8 @@ prune=550
 rpcuser=archipelago
 rpcpassword=$BTC_RPC_PASS
 rpcbind=0.0.0.0
-rpcallowip=0.0.0.0/0
+rpcallowip=127.0.0.1/32
+rpcallowip=10.88.0.0/16
 rpcport=8332
 listen=1
 printtoconsole=1
--- a/scripts/deploy-bitcoin-knots.sh
+++ b/scripts/deploy-bitcoin-knots.sh
@ -51,7 +51,7 @@ sudo podman run -d \
  docker.io/bitcoinknots/bitcoin:latest \
  -server=1 \
  -txindex=1 \
-  -rpcallowip=0.0.0.0/0 \
+  -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 \
  -rpcbind=0.0.0.0:8332 \
  -rpcuser=archipelago \
  -rpcpassword=$BITCOIN_RPC_PASS \
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@ -810,7 +810,7 @@ MANIFEST_EOF
          -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
          docker.io/bitcoinknots/bitcoin:latest \
          -server=1 \$BTC_EXTRA_ARGS \
-          -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
+          -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
          -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
          -dbcache=\$BTC_DBCACHE
        echo '   Bitcoin Knots started (sync may take hours)'
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@ -137,7 +137,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'bitcoin-knots|arch
    -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
    docker.io/bitcoinknots/bitcoin:latest \
    -server=1 $BTC_EXTRA_ARGS \
-    -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
+    -rpcallowip=127.0.0.1/32 -rpcallowip=10.88.0.0/16 -rpcbind=0.0.0.0:8332 \
    -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
    -dbcache=$BTC_DBCACHE 2>>"$LOG"; then
    log "Bitcoin Knots started"
@ -506,11 +506,15 @@ fi
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q tailscale; then
  log "Creating Tailscale..."
  mkdir -p /var/lib/archipelago/tailscale
-  # Tailscale requires --privileged for TUN/iptables/routing table access
+  # Tailscale needs NET_ADMIN + NET_RAW + TUN device (no --privileged)
  $DOCKER run -d --name tailscale --restart unless-stopped \
-    --network host --privileged \
-    --cap-add NET_ADMIN --cap-add NET_RAW \
-    --device=/dev/net/tun \
+    --network host \
+    --cap-drop=ALL \
+    --cap-add=NET_ADMIN \
+    --cap-add=NET_RAW \
+    --device=/dev/net/tun:/dev/net/tun \
+    --read-only \
+    --tmpfs /tmp \
    -v /var/lib/archipelago/tailscale:/var/lib/tailscale \
    -e TS_STATE_DIR=/var/lib/tailscale \
    docker.io/tailscale/tailscale:stable \