nix: fix types
This commit is contained in:
parent
bd10705a29
commit
d89fe8ddd5
GPG key ID:
29D95B64378DB4BF
1 changed files with 27 additions and 29 deletions
|
|
@ -5,7 +5,7 @@ self: {
|
|||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (builtins) toJSON baseNameOf toString;
|
||||
inherit (builtins) toJSON toString;
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (lib.options) mkOption mkEnableOption literalExpression;
|
||||
inherit (lib.types) package str port int listOf enum bool attrsOf path;
|
||||
|
|
@ -30,6 +30,13 @@ self: {
|
|||
config_dir = "${cfg.stateDir}/conf";
|
||||
cache_dir = cfg.cacheDir;
|
||||
});
|
||||
|
||||
# Check if we need privileged port capability
|
||||
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
|
||||
needsPrivilegedPort =
|
||||
portMatch
|
||||
!= null
|
||||
&& builtins.fromJSON (builtins.head portMatch) < 1024;
|
||||
in {
|
||||
###### interface
|
||||
options = {
|
||||
|
|
@ -39,7 +46,7 @@ in {
|
|||
package = mkOption {
|
||||
type = package;
|
||||
default = self.packages.${pkgs.stdenv.system}.eris;
|
||||
defaultText = literalExpression "pkgs.eris";
|
||||
defaultText = literalExpression "self.packages.\${pkgs.stdenv.system}.eris";
|
||||
description = "The Eris package to use.";
|
||||
};
|
||||
|
||||
|
|
@ -154,7 +161,7 @@ in {
|
|||
dataDir = mkOption {
|
||||
# This derives from stateDir by default to keep persistent data together
|
||||
type = path;
|
||||
default = "${cfg.stateDir}/data";
|
||||
default = "/var/lib/eris/data";
|
||||
description = "Directory containing `corpora` and `scripts` subdirectories.";
|
||||
};
|
||||
|
||||
|
|
@ -180,7 +187,7 @@ in {
|
|||
An attribute set where keys are Lua script filenames (e.g., "`my_script.lua`")
|
||||
and values are paths to the script files. These will be placed in {path}`''${cfg.dataDir}/scripts`.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
example = literalExpression ''
|
||||
{
|
||||
"custom_tokens.lua" = ./custom_tokens.lua;
|
||||
}
|
||||
|
|
@ -225,7 +232,7 @@ in {
|
|||
type ipv4_addr; flags interval; comment "Managed by Eris NixOS module";
|
||||
}
|
||||
|
||||
chain input {
|
||||
chain INPUT {
|
||||
${lib.optionalString cfg.nftablesDropRule ''
|
||||
ip saddr @eris_blacklist counter drop comment "Drop traffic from Eris blacklist";
|
||||
''}
|
||||
|
|
@ -281,20 +288,20 @@ in {
|
|||
|
||||
# Explicitly allow writes to state/cache/data dirs
|
||||
ReadWritePaths = [
|
||||
cfg.stateDir
|
||||
cfg.cacheDir
|
||||
cfg.dataDir
|
||||
"${cfg.stateDir}"
|
||||
"${cfg.cacheDir}"
|
||||
"${cfg.dataDir}"
|
||||
];
|
||||
|
||||
# Allow reads from config file path
|
||||
ReadOnlyPaths = [erisConfigFile];
|
||||
ReadOnlyPaths = ["${erisConfigFile}"];
|
||||
|
||||
# Explicitly deny access to sensitive paths
|
||||
InaccessiblePaths = [
|
||||
"/boot"
|
||||
"/root"
|
||||
"/home"
|
||||
"/srv" # Add others as needed
|
||||
"/srv"
|
||||
];
|
||||
|
||||
PrivateTmp = true; # Use private /tmp and /var/tmp
|
||||
|
|
@ -307,17 +314,14 @@ in {
|
|||
ProtectControlGroups = true; # Make Control Group hierarchies read-only
|
||||
|
||||
# Network access control
|
||||
RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; # Allow only standard IP protocols
|
||||
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; # Allow binding to ports < 1024 if needed
|
||||
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
|
||||
|
||||
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
|
||||
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
|
||||
|
||||
# System call filtering (adjust based on Eris's needs)
|
||||
# Start with a reasonable baseline for network services
|
||||
SystemCallFilter = ["@system-service" "@network-io" "@file-system"];
|
||||
|
||||
# TODO: Consider adding more specific filters or removing groups if issues arise
|
||||
# e.g., SystemCallArchitectures=native. This probably will not be enough
|
||||
|
||||
# Other hardening
|
||||
RestrictNamespaces = true; # Prevent creation of new namespaces
|
||||
LockPersonality = true; # Lock down legacy personality settings
|
||||
|
|
@ -327,8 +331,8 @@ in {
|
|||
RestrictSUIDSGID = true; # Ignore SUID/SGID bits on execution
|
||||
|
||||
# Directories managed by systemd
|
||||
StateDirectory = baseNameOf cfg.stateDir; # e.g., "eris"
|
||||
CacheDirectory = baseNameOf cfg.cacheDir; # e.g., "eris"
|
||||
StateDirectory = "eris";
|
||||
CacheDirectory = "eris";
|
||||
StateDirectoryMode = "0750";
|
||||
CacheDirectoryMode = "0750";
|
||||
|
||||
|
|
@ -341,6 +345,7 @@ in {
|
|||
preStart = let
|
||||
corporaDir = "${cfg.dataDir}/corpora";
|
||||
scriptsDir = "${cfg.dataDir}/scripts";
|
||||
confDir = "${cfg.stateDir}/conf";
|
||||
chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
|
||||
|
||||
# Create commands to copy corpora files
|
||||
|
|
@ -359,19 +364,12 @@ in {
|
|||
'')
|
||||
cfg.luaScripts;
|
||||
in ''
|
||||
# Systemd creates StateDirectory and CacheDirectory, but we need subdirs
|
||||
mkdir -p ${cfg.stateDir}/conf ${cfg.dataDir} ${corporaDir} ${scriptsDir}
|
||||
# Create subdirectories only - base directories are created by systemd
|
||||
mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
|
||||
|
||||
# Ensure ownership is correct for all relevant dirs managed by systemd or created here
|
||||
${chownCmd} /var/lib/${baseNameOf cfg.stateDir} \
|
||||
/var/cache/${baseNameOf cfg.cacheDir} \
|
||||
${cfg.stateDir}/conf \
|
||||
${cfg.dataDir} \
|
||||
${corporaDir} \
|
||||
${scriptsDir}
|
||||
# Copy declarative files
|
||||
${toString copyCorporaCmds}
|
||||
${toString copyLuaScriptCmds}
|
||||
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
|
||||
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue