nix: fix types

nix/module.nix

@@ -5,7 +5,7 @@ self: {
   pkgs,
   ...
 }: let
-  inherit (builtins) toJSON baseNameOf toString;
+  inherit (builtins) toJSON toString;
   inherit (lib.modules) mkIf;
   inherit (lib.options) mkOption mkEnableOption literalExpression;
   inherit (lib.types) package str port int listOf enum bool attrsOf path;
@@ -30,6 +30,13 @@ self: {
     config_dir = "${cfg.stateDir}/conf";
     cache_dir = cfg.cacheDir;
   });
+
+  # Check if we need privileged port capability
+  portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
+  needsPrivilegedPort =
+    portMatch
+    != null
+    && builtins.fromJSON (builtins.head portMatch) < 1024;
 in {
   ###### interface
   options = {
@@ -39,7 +46,7 @@ in {
       package = mkOption {
         type = package;
         default = self.packages.${pkgs.stdenv.system}.eris;
-        defaultText = literalExpression "pkgs.eris";
+        defaultText = literalExpression "self.packages.\${pkgs.stdenv.system}.eris";
         description = "The Eris package to use.";
       };
 
@@ -154,7 +161,7 @@ in {
       dataDir = mkOption {
         # This derives from stateDir by default to keep persistent data together
         type = path;
-        default = "${cfg.stateDir}/data";
+        default = "/var/lib/eris/data";
         description = "Directory containing `corpora` and `scripts` subdirectories.";
       };
 
@@ -180,7 +187,7 @@ in {
           An attribute set where keys are Lua script filenames (e.g., "`my_script.lua`")
           and values are paths to the script files. These will be placed in {path}`''${cfg.dataDir}/scripts`.
         '';
-        example = lib.literalExpression ''
+        example = literalExpression ''
           {
             "custom_tokens.lua" = ./custom_tokens.lua;
           }
@@ -225,7 +232,7 @@ in {
             type ipv4_addr; flags interval; comment "Managed by Eris NixOS module";
           }
 
-          chain input {
+          chain INPUT {
             ${lib.optionalString cfg.nftablesDropRule ''
           ip saddr @eris_blacklist counter drop comment "Drop traffic from Eris blacklist";
         ''}
@@ -281,20 +288,20 @@ in {
 
         # Explicitly allow writes to state/cache/data dirs
         ReadWritePaths = [
-          cfg.stateDir
+          "${cfg.stateDir}"
-          cfg.cacheDir
+          "${cfg.cacheDir}"
-          cfg.dataDir
+          "${cfg.dataDir}"
         ];
 
         # Allow reads from config file path
-        ReadOnlyPaths = [erisConfigFile];
+        ReadOnlyPaths = ["${erisConfigFile}"];
 
         # Explicitly deny access to sensitive paths
         InaccessiblePaths = [
           "/boot"
           "/root"
           "/home"
-          "/srv" # Add others as needed
+          "/srv"
         ];
 
         PrivateTmp = true; # Use private /tmp and /var/tmp
@@ -307,17 +314,14 @@ in {
         ProtectControlGroups = true; # Make Control Group hierarchies read-only
 
         # Network access control
-        RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; # Allow only standard IP protocols
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
-        CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; # Allow binding to ports < 1024 if needed
+
+        CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
         AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
 
-        # System call filtering (adjust based on Eris's needs)
         # Start with a reasonable baseline for network services
         SystemCallFilter = ["@system-service" "@network-io" "@file-system"];
 
-        # TODO: Consider adding more specific filters or removing groups if issues arise
-        # e.g., SystemCallArchitectures=native. This probably will not be enough
-
         # Other hardening
         RestrictNamespaces = true; # Prevent creation of new namespaces
         LockPersonality = true; # Lock down legacy personality settings
@@ -327,8 +331,8 @@ in {
         RestrictSUIDSGID = true; # Ignore SUID/SGID bits on execution
 
         # Directories managed by systemd
-        StateDirectory = baseNameOf cfg.stateDir; # e.g., "eris"
+        StateDirectory = "eris";
-        CacheDirectory = baseNameOf cfg.cacheDir; # e.g., "eris"
+        CacheDirectory = "eris";
         StateDirectoryMode = "0750";
         CacheDirectoryMode = "0750";
 
@@ -341,6 +345,7 @@ in {
       preStart = let
         corporaDir = "${cfg.dataDir}/corpora";
         scriptsDir = "${cfg.dataDir}/scripts";
+        confDir = "${cfg.stateDir}/conf";
         chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
 
         # Create commands to copy corpora files
@@ -359,19 +364,12 @@ in {
           '')
           cfg.luaScripts;
       in ''
-        # Systemd creates StateDirectory and CacheDirectory, but we need subdirs
+        # Create subdirectories only - base directories are created by systemd
-        mkdir -p ${cfg.stateDir}/conf ${cfg.dataDir} ${corporaDir} ${scriptsDir}
+        mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
 
-        # Ensure ownership is correct for all relevant dirs managed by systemd or created here
-        ${chownCmd} /var/lib/${baseNameOf cfg.stateDir} \
-                    /var/cache/${baseNameOf cfg.cacheDir} \
-                    ${cfg.stateDir}/conf \
-                    ${cfg.dataDir} \
-                    ${corporaDir} \
-                    ${scriptsDir}
         # Copy declarative files
-        ${toString copyCorporaCmds}
+        ${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
-        ${toString copyLuaScriptCmds}
+        ${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}
       '';
     };
   };