Harden bitcoind and lnd: file permissions, service binding, no_logHEADmain

- Config files 0644 -> 0600
- Add no_log: true to config tasks
- Bind lnd rpclisten and restlisten to 127.0.0.1

3 files changed, 6 insertions, 4 deletions

diff --git a/bitcoind/tasks/main.yaml b/bitcoind/tasks/main.yaml
index 624e2b9..a11dbbf 100644
--- a/bitcoind/tasks/main.yaml
+++ b/bitcoind/tasks/main.yaml
@@ -49,8 +49,9 @@
     dest: "{{bitcoind_conf_dir}}/bitcoin.conf"
     owner: "{{bitcoind_user}}"
     group: "{{bitcoind_user}}"
-    mode: "0644"
+    mode: "0600"
   notify: restart bitcoind
+  no_log: true
 
 - name: install bitcoind service
   become: yes
diff --git a/lnd/tasks/main.yaml b/lnd/tasks/main.yaml
index bd7c360..965114b 100644
--- a/lnd/tasks/main.yaml
+++ b/lnd/tasks/main.yaml
@@ -60,8 +60,9 @@
     dest: "{{lnd_conf_dir}}/lnd.conf"
     owner: "{{lnd_user}}"
     group: "{{lnd_user}}"
-    mode: "0644"
+    mode: "0600"
   notify: restart lnd
+  no_log: true
 
 - name: install lnd service
   become: yes
diff --git a/lnd/templates/lnd.conf.j2 b/lnd/templates/lnd.conf.j2
index ba37102..60fec71 100644
--- a/lnd/templates/lnd.conf.j2
+++ b/lnd/templates/lnd.conf.j2
@@ -8,8 +8,8 @@ alias={{lnd_alias}}
 
 tlsextradomain={{lnd_alias}}
 listen=0.0.0.0:9735
-rpclisten=0.0.0.0:10009
-restlisten=0.0.0.0:8080
+rpclisten=127.0.0.1:10009
+restlisten=127.0.0.1:8080
 
 [Bitcoin]
 bitcoin.mainnet=true