NotAShelf/Eris
1
1
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Compare commits

base: NotAShelf:18be5ba0417e922412be4f4fbf130514cbef10f1
Branches Tags
NotAShelf:main
NotAShelf:multi-site-proxy
..
compare: NotAShelf:d89fe8ddd501da03b3f43406fa0be933259e6d35
Branches Tags
NotAShelf:multi-site-proxy
NotAShelf:main

7 commits
18be5ba041 ... d89fe8ddd5

Author SHA1 Message Date
NotAShelf
d89fe8ddd5
 		nix: fix types 2025-05-01 07:01:32 +03:00
NotAShelf
bd10705a29
 		docs: add project readme 2025-05-01 06:31:30 +03:00
NotAShelf
f1b4764270
 		meta: add contrib 2025-05-01 06:29:39 +03:00
NotAShelf
73f6f76135
 		nix: include contrib in pacakge source 2025-05-01 06:23:38 +03:00
NotAShelf
fb6a800e60
 		nix: pkgs.system -> pkgs.hostPlatform.system 2025-05-01 06:21:22 +03:00
NotAShelf
d0edbdf5bb
 		nix: what do you mean baseNameOf is not in lib 2025-05-01 06:17:03 +03:00
NotAShelf
b53d7a1401
 		nix: get nftables from correct parent attr 2025-05-01 06:08:45 +03:00
1 changed files with 37 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

63
nix/module.nix
View file

@ -30,6 +30,13 @@ self: {
config_dir = "${cfg.stateDir}/conf";
cache_dir = cfg.cacheDir;
});
# Check if we need privileged port capability
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
needsPrivilegedPort =
portMatch
!= null
&& builtins.fromJSON (builtins.head portMatch) < 1024;
in {
###### interface
options = {
@ -53,7 +60,6 @@ in {
metricsPort = mkOption {
type = port;
default = 9100;
example = 9110;
description = "The port for the Prometheus metrics endpoint.";
};
@ -67,13 +73,13 @@ in {
minDelay = mkOption {
type = int;
default = 1000;
description = "Minimum delay (in ms) between sending characters in tarpit mode.";
description = "Minimum delay (in milliseconds) between sending characters in tarpit mode.";
};
maxDelay = mkOption {
type = int;
default = 15000;
description = "Maximum delay (in ms) between sending characters in tarpit mode.";
description = "Maximum delay (in milliseconds) between sending characters in tarpit mode.";
};
maxTarpitTime = mkOption {
@ -260,7 +266,7 @@ in {
# Process management
ExecStart = ''
${lib.getExe cfg.package} \
${cfg.package}/bin/eris \
--config-file ${erisConfigFile} \
--log-level ${cfg.logLevel}
'';
@ -276,29 +282,27 @@ in {
# Deny privilege escalation
NoNewPrivileges = true;
# FIXME: this breaks everything.
# Filesystem access control
# ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
# ProtectHome = true; # Make /home, /root inaccessible
#
# # Explicitly allow writes to state/cache/data dirs
# ReadWritePaths = [
# "/var/lib/eris"
# "${cfg.stateDir}"
# "${cfg.cacheDir}"
# "${cfg.dataDir}"
# ];
#
# # Allow reads from config file path
# ReadOnlyPaths = ["${erisConfigFile}"];
#
# # Explicitly deny access to sensitive paths
# InaccessiblePaths = [
# "/boot"
# "/root"
# "/home"
# "/srv"
# ];
ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
ProtectHome = true; # Make /home, /root inaccessible
# Explicitly allow writes to state/cache/data dirs
ReadWritePaths = [
"${cfg.stateDir}"
"${cfg.cacheDir}"
"${cfg.dataDir}"
];
# Allow reads from config file path
ReadOnlyPaths = ["${erisConfigFile}"];
# Explicitly deny access to sensitive paths
InaccessiblePaths = [
"/boot"
"/root"
"/home"
"/srv"
];
PrivateTmp = true; # Use private /tmp and /var/tmp
PrivateDevices = true; # Restrict device access (/dev)
@ -341,11 +345,14 @@ in {
preStart = let
corporaDir = "${cfg.dataDir}/corpora";
scriptsDir = "${cfg.dataDir}/scripts";
confDir = "${cfg.stateDir}/conf";
chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
# Create commands to copy corpora files
copyCorporaCmds =
lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${corporaDir}/${name}
${chownCmd} ${corporaDir}/${name}
'')
cfg.corpora;
@ -353,9 +360,13 @@ in {
copyLuaScriptCmds =
lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${scriptsDir}/${name}
${chownCmd} ${scriptsDir}/${name}
'')
cfg.luaScripts;
in ''
# Create subdirectories only - base directories are created by systemd
mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
# Copy declarative files
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}