nix: fix types
This commit is contained in:
parent
bd10705a29
commit
4f0520c655
GPG key ID:
29D95B64378DB4BF
1 changed files with 29 additions and 22 deletions
|
|
@ -5,7 +5,7 @@ self: {
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit (builtins) toJSON baseNameOf toString;
|
inherit (builtins) toJSON toString;
|
||||||
inherit (lib.modules) mkIf;
|
inherit (lib.modules) mkIf;
|
||||||
inherit (lib.options) mkOption mkEnableOption literalExpression;
|
inherit (lib.options) mkOption mkEnableOption literalExpression;
|
||||||
inherit (lib.types) package str port int listOf enum bool attrsOf path;
|
inherit (lib.types) package str port int listOf enum bool attrsOf path;
|
||||||
|
|
@ -30,6 +30,13 @@ self: {
|
||||||
config_dir = "${cfg.stateDir}/conf";
|
config_dir = "${cfg.stateDir}/conf";
|
||||||
cache_dir = cfg.cacheDir;
|
cache_dir = cfg.cacheDir;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
# Check if we need privileged port capability
|
||||||
|
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
|
||||||
|
needsPrivilegedPort =
|
||||||
|
portMatch
|
||||||
|
!= null
|
||||||
|
&& builtins.fromJSON (builtins.head portMatch) < 1024;
|
||||||
in {
|
in {
|
||||||
###### interface
|
###### interface
|
||||||
options = {
|
options = {
|
||||||
|
|
@ -39,7 +46,7 @@ in {
|
||||||
package = mkOption {
|
package = mkOption {
|
||||||
type = package;
|
type = package;
|
||||||
default = self.packages.${pkgs.stdenv.system}.eris;
|
default = self.packages.${pkgs.stdenv.system}.eris;
|
||||||
defaultText = literalExpression "pkgs.eris";
|
defaultText = literalExpression "self.packages.\${pkgs.stdenv.system}.eris";
|
||||||
description = "The Eris package to use.";
|
description = "The Eris package to use.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -154,7 +161,7 @@ in {
|
||||||
dataDir = mkOption {
|
dataDir = mkOption {
|
||||||
# This derives from stateDir by default to keep persistent data together
|
# This derives from stateDir by default to keep persistent data together
|
||||||
type = path;
|
type = path;
|
||||||
default = "${cfg.stateDir}/data";
|
default = "/var/lib/eris/data";
|
||||||
description = "Directory containing `corpora` and `scripts` subdirectories.";
|
description = "Directory containing `corpora` and `scripts` subdirectories.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -180,7 +187,7 @@ in {
|
||||||
An attribute set where keys are Lua script filenames (e.g., "`my_script.lua`")
|
An attribute set where keys are Lua script filenames (e.g., "`my_script.lua`")
|
||||||
and values are paths to the script files. These will be placed in {path}`''${cfg.dataDir}/scripts`.
|
and values are paths to the script files. These will be placed in {path}`''${cfg.dataDir}/scripts`.
|
||||||
'';
|
'';
|
||||||
example = lib.literalExpression ''
|
example = literalExpression ''
|
||||||
{
|
{
|
||||||
"custom_tokens.lua" = ./custom_tokens.lua;
|
"custom_tokens.lua" = ./custom_tokens.lua;
|
||||||
}
|
}
|
||||||
|
|
@ -225,7 +232,7 @@ in {
|
||||||
type ipv4_addr; flags interval; comment "Managed by Eris NixOS module";
|
type ipv4_addr; flags interval; comment "Managed by Eris NixOS module";
|
||||||
}
|
}
|
||||||
|
|
||||||
chain input {
|
chain INPUT {
|
||||||
${lib.optionalString cfg.nftablesDropRule ''
|
${lib.optionalString cfg.nftablesDropRule ''
|
||||||
ip saddr @eris_blacklist counter drop comment "Drop traffic from Eris blacklist";
|
ip saddr @eris_blacklist counter drop comment "Drop traffic from Eris blacklist";
|
||||||
''}
|
''}
|
||||||
|
|
@ -281,13 +288,13 @@ in {
|
||||||
|
|
||||||
# Explicitly allow writes to state/cache/data dirs
|
# Explicitly allow writes to state/cache/data dirs
|
||||||
ReadWritePaths = [
|
ReadWritePaths = [
|
||||||
cfg.stateDir
|
"${cfg.stateDir}"
|
||||||
cfg.cacheDir
|
"${cfg.cacheDir}"
|
||||||
cfg.dataDir
|
"${cfg.dataDir}"
|
||||||
];
|
];
|
||||||
|
|
||||||
# Allow reads from config file path
|
# Allow reads from config file path
|
||||||
ReadOnlyPaths = [erisConfigFile];
|
ReadOnlyPaths = ["${erisConfigFile}"];
|
||||||
|
|
||||||
# Explicitly deny access to sensitive paths
|
# Explicitly deny access to sensitive paths
|
||||||
InaccessiblePaths = [
|
InaccessiblePaths = [
|
||||||
|
|
@ -308,16 +315,15 @@ in {
|
||||||
|
|
||||||
# Network access control
|
# Network access control
|
||||||
RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; # Allow only standard IP protocols
|
RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; # Allow only standard IP protocols
|
||||||
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; # Allow binding to ports < 1024 if needed
|
|
||||||
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
|
# Only add NET_BIND_SERVICE capability if needed (port < 1024)
|
||||||
|
CapabilityBoundingSet = optionals needsPrivilegedPort "CAP_NET_BIND_SERVICE";
|
||||||
|
AmbientCapabilities = optionals needsPrivilegedPort "CAP_NET_BIND_SERVICE";
|
||||||
|
|
||||||
# System call filtering (adjust based on Eris's needs)
|
# System call filtering (adjust based on Eris's needs)
|
||||||
# Start with a reasonable baseline for network services
|
# Start with a reasonable baseline for network services
|
||||||
SystemCallFilter = ["@system-service" "@network-io" "@file-system"];
|
SystemCallFilter = ["@system-service" "@network-io" "@file-system"];
|
||||||
|
|
||||||
# TODO: Consider adding more specific filters or removing groups if issues arise
|
|
||||||
# e.g., SystemCallArchitectures=native. This probably will not be enough
|
|
||||||
|
|
||||||
# Other hardening
|
# Other hardening
|
||||||
RestrictNamespaces = true; # Prevent creation of new namespaces
|
RestrictNamespaces = true; # Prevent creation of new namespaces
|
||||||
LockPersonality = true; # Lock down legacy personality settings
|
LockPersonality = true; # Lock down legacy personality settings
|
||||||
|
|
@ -327,8 +333,8 @@ in {
|
||||||
RestrictSUIDSGID = true; # Ignore SUID/SGID bits on execution
|
RestrictSUIDSGID = true; # Ignore SUID/SGID bits on execution
|
||||||
|
|
||||||
# Directories managed by systemd
|
# Directories managed by systemd
|
||||||
StateDirectory = baseNameOf cfg.stateDir; # e.g., "eris"
|
StateDirectory = "eris";
|
||||||
CacheDirectory = baseNameOf cfg.cacheDir; # e.g., "eris"
|
CacheDirectory = "eris";
|
||||||
StateDirectoryMode = "0750";
|
StateDirectoryMode = "0750";
|
||||||
CacheDirectoryMode = "0750";
|
CacheDirectoryMode = "0750";
|
||||||
|
|
||||||
|
|
@ -362,16 +368,17 @@ in {
|
||||||
# Systemd creates StateDirectory and CacheDirectory, but we need subdirs
|
# Systemd creates StateDirectory and CacheDirectory, but we need subdirs
|
||||||
mkdir -p ${cfg.stateDir}/conf ${cfg.dataDir} ${corporaDir} ${scriptsDir}
|
mkdir -p ${cfg.stateDir}/conf ${cfg.dataDir} ${corporaDir} ${scriptsDir}
|
||||||
|
|
||||||
# Ensure ownership is correct for all relevant dirs managed by systemd or created here
|
# Wee need to be able to read and write to all relevant directories.
|
||||||
${chownCmd} /var/lib/${baseNameOf cfg.stateDir} \
|
${chownCmd} ${cfg.stateDir} \
|
||||||
/var/cache/${baseNameOf cfg.cacheDir} \
|
${cfg.cacheDir} \
|
||||||
${cfg.stateDir}/conf \
|
${cfg.stateDir}/conf \
|
||||||
${cfg.dataDir} \
|
${cfg.dataDir} \
|
||||||
${corporaDir} \
|
${corporaDir} \
|
||||||
${scriptsDir}
|
${scriptsDir}
|
||||||
# Copy declarative files
|
|
||||||
${toString copyCorporaCmds}
|
# Copy configurationn files
|
||||||
${toString copyLuaScriptCmds}
|
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
|
||||||
|
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue