From f2f3906b8e9f1af99de9cf6488d54732a711dfc6 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 20:19:40 -0500
Subject: Harden bitcoind and lnd: file permissions, service binding, no_log

- Config files 0644 -> 0600
- Add no_log: true to config tasks
- Bind lnd rpclisten and restlisten to 127.0.0.1
---
 lnd/tasks/main.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lnd/tasks/main.yaml')

diff --git a/lnd/tasks/main.yaml b/lnd/tasks/main.yaml
index bd7c360..965114b 100644
--- a/lnd/tasks/main.yaml
+++ b/lnd/tasks/main.yaml
@@ -60,8 +60,9 @@
     dest: "{{lnd_conf_dir}}/lnd.conf"
     owner: "{{lnd_user}}"
     group: "{{lnd_user}}"
-    mode: "0644"
+    mode: "0600"
   notify: restart lnd
+  no_log: true
 
 - name: install lnd service
   become: yes
-- 
cgit v1.2.3