From f2f3906b8e9f1af99de9cf6488d54732a711dfc6 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 20:19:40 -0500
Subject: Harden bitcoind and lnd: file permissions, service binding, no_log

- Config files 0644 -> 0600
- Add no_log: true to config tasks
- Bind lnd rpclisten and restlisten to 127.0.0.1
---
 bitcoind/tasks/main.yaml  | 3 ++-
 lnd/tasks/main.yaml       | 3 ++-
 lnd/templates/lnd.conf.j2 | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/bitcoind/tasks/main.yaml b/bitcoind/tasks/main.yaml
index 624e2b9..a11dbbf 100644
--- a/bitcoind/tasks/main.yaml
+++ b/bitcoind/tasks/main.yaml
@@ -49,8 +49,9 @@
     dest: "{{bitcoind_conf_dir}}/bitcoin.conf"
     owner: "{{bitcoind_user}}"
     group: "{{bitcoind_user}}"
-    mode: "0644"
+    mode: "0600"
   notify: restart bitcoind
+  no_log: true
 
 - name: install bitcoind service
   become: yes
diff --git a/lnd/tasks/main.yaml b/lnd/tasks/main.yaml
index bd7c360..965114b 100644
--- a/lnd/tasks/main.yaml
+++ b/lnd/tasks/main.yaml
@@ -60,8 +60,9 @@
     dest: "{{lnd_conf_dir}}/lnd.conf"
     owner: "{{lnd_user}}"
     group: "{{lnd_user}}"
-    mode: "0644"
+    mode: "0600"
   notify: restart lnd
+  no_log: true
 
 - name: install lnd service
   become: yes
diff --git a/lnd/templates/lnd.conf.j2 b/lnd/templates/lnd.conf.j2
index ba37102..60fec71 100644
--- a/lnd/templates/lnd.conf.j2
+++ b/lnd/templates/lnd.conf.j2
@@ -8,8 +8,8 @@ alias={{lnd_alias}}
 
 tlsextradomain={{lnd_alias}}
 listen=0.0.0.0:9735
-rpclisten=0.0.0.0:10009
-restlisten=0.0.0.0:8080
+rpclisten=127.0.0.1:10009
+restlisten=127.0.0.1:8080
 
 [Bitcoin]
 bitcoin.mainnet=true
-- 
cgit v1.2.3