diff --git a/nix/module.nix b/nix/module.nix index 1aeb67d..49e2c2d 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -30,6 +30,13 @@ self: { config_dir = "${cfg.stateDir}/conf"; cache_dir = cfg.cacheDir; }); + + # Check if we need privileged port capability + portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress; + needsPrivilegedPort = + portMatch + != null + && builtins.fromJSON (builtins.head portMatch) < 1024; in { ###### interface options = { @@ -53,7 +60,6 @@ in { metricsPort = mkOption { type = port; default = 9100; - example = 9110; description = "The port for the Prometheus metrics endpoint."; }; @@ -67,13 +73,13 @@ in { minDelay = mkOption { type = int; default = 1000; - description = "Minimum delay (in ms) between sending characters in tarpit mode."; + description = "Minimum delay (in milliseconds) between sending characters in tarpit mode."; }; maxDelay = mkOption { type = int; default = 15000; - description = "Maximum delay (in ms) between sending characters in tarpit mode."; + description = "Maximum delay (in milliseconds) between sending characters in tarpit mode."; }; maxTarpitTime = mkOption { @@ -260,7 +266,7 @@ in { # Process management ExecStart = '' - ${lib.getExe cfg.package} \ + ${cfg.package}/bin/eris \ --config-file ${erisConfigFile} \ --log-level ${cfg.logLevel} ''; @@ -276,29 +282,27 @@ in { # Deny privilege escalation NoNewPrivileges = true; - # FIXME: this breaks everything. # Filesystem access control - # ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only - # ProtectHome = true; # Make /home, /root inaccessible - # - # # Explicitly allow writes to state/cache/data dirs - # ReadWritePaths = [ - # "/var/lib/eris" - # "${cfg.stateDir}" - # "${cfg.cacheDir}" - # "${cfg.dataDir}" - # ]; - # - # # Allow reads from config file path - # ReadOnlyPaths = ["${erisConfigFile}"]; - # - # # Explicitly deny access to sensitive paths - # InaccessiblePaths = [ - # "/boot" - # "/root" - # "/home" - # "/srv" - # ]; + ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only + ProtectHome = true; # Make /home, /root inaccessible + + # Explicitly allow writes to state/cache/data dirs + ReadWritePaths = [ + "${cfg.stateDir}" + "${cfg.cacheDir}" + "${cfg.dataDir}" + ]; + + # Allow reads from config file path + ReadOnlyPaths = ["${erisConfigFile}"]; + + # Explicitly deny access to sensitive paths + InaccessiblePaths = [ + "/boot" + "/root" + "/home" + "/srv" + ]; PrivateTmp = true; # Use private /tmp and /var/tmp PrivateDevices = true; # Restrict device access (/dev) @@ -341,11 +345,14 @@ in { preStart = let corporaDir = "${cfg.dataDir}/corpora"; scriptsDir = "${cfg.dataDir}/scripts"; + confDir = "${cfg.stateDir}/conf"; + chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}"; # Create commands to copy corpora files copyCorporaCmds = lib.mapAttrsToList (name: path: '' cp -vf ${path} ${corporaDir}/${name} + ${chownCmd} ${corporaDir}/${name} '') cfg.corpora; @@ -353,9 +360,13 @@ in { copyLuaScriptCmds = lib.mapAttrsToList (name: path: '' cp -vf ${path} ${scriptsDir}/${name} + ${chownCmd} ${scriptsDir}/${name} '') cfg.luaScripts; in '' + # Create subdirectories only - base directories are created by systemd + mkdir -p ${confDir} ${corporaDir} ${scriptsDir} + # Copy declarative files ${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)} ${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}