NotAShelf/Eris
1
1
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Compare commits

base: NotAShelf:18be5ba0417e922412be4f4fbf130514cbef10f1
Branches Tags
NotAShelf:main
NotAShelf:multi-site-proxy
..
compare: NotAShelf:d89fe8ddd501da03b3f43406fa0be933259e6d35
Branches Tags
NotAShelf:multi-site-proxy
NotAShelf:main

7 commits
18be5ba041 ... d89fe8ddd5

Author SHA1 Message Date
NotAShelf
d89fe8ddd5
 		nix: fix types 2025-05-01 07:01:32 +03:00
NotAShelf
bd10705a29
 		docs: add project readme 2025-05-01 06:31:30 +03:00
NotAShelf
f1b4764270
 		meta: add contrib 2025-05-01 06:29:39 +03:00
NotAShelf
73f6f76135
 		nix: include contrib in pacakge source 2025-05-01 06:23:38 +03:00
NotAShelf
fb6a800e60
 		nix: pkgs.system -> pkgs.hostPlatform.system 2025-05-01 06:21:22 +03:00
NotAShelf
d0edbdf5bb
 		nix: what do you mean baseNameOf is not in lib 2025-05-01 06:17:03 +03:00
NotAShelf
b53d7a1401
 		nix: get nftables from correct parent attr 2025-05-01 06:08:45 +03:00
1 changed files with 37 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

63
nix/module.nix
View file

@ -30,6 +30,13 @@ self: {
config_dir = "${cfg.stateDir}/conf"; config_dir = "${cfg.stateDir}/conf";
cache_dir = cfg.cacheDir; cache_dir = cfg.cacheDir;
}); });
# Check if we need privileged port capability
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
needsPrivilegedPort =
portMatch
!= null
&& builtins.fromJSON (builtins.head portMatch) < 1024;
in { in {
###### interface ###### interface
options = { options = {
@ -53,7 +60,6 @@ in {
metricsPort = mkOption { metricsPort = mkOption {
type = port; type = port;
default = 9100; default = 9100;
example = 9110;
description = "The port for the Prometheus metrics endpoint."; description = "The port for the Prometheus metrics endpoint.";
}; };
@ -67,13 +73,13 @@ in {
minDelay = mkOption { minDelay = mkOption {
type = int; type = int;
default = 1000; default = 1000;
description = "Minimum delay (in ms) between sending characters in tarpit mode."; description = "Minimum delay (in milliseconds) between sending characters in tarpit mode.";
}; };
maxDelay = mkOption { maxDelay = mkOption {
type = int; type = int;
default = 15000; default = 15000;
description = "Maximum delay (in ms) between sending characters in tarpit mode."; description = "Maximum delay (in milliseconds) between sending characters in tarpit mode.";
}; };
maxTarpitTime = mkOption { maxTarpitTime = mkOption {
@ -260,7 +266,7 @@ in {
# Process management # Process management
ExecStart = '' ExecStart = ''
${lib.getExe cfg.package} \ ${cfg.package}/bin/eris \
--config-file ${erisConfigFile} \ --config-file ${erisConfigFile} \
--log-level ${cfg.logLevel} --log-level ${cfg.logLevel}
''; '';
@ -276,29 +282,27 @@ in {
# Deny privilege escalation # Deny privilege escalation
NoNewPrivileges = true; NoNewPrivileges = true;
# FIXME: this breaks everything.
# Filesystem access control # Filesystem access control
# ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
# ProtectHome = true; # Make /home, /root inaccessible ProtectHome = true; # Make /home, /root inaccessible
#
# # Explicitly allow writes to state/cache/data dirs # Explicitly allow writes to state/cache/data dirs
# ReadWritePaths = [ ReadWritePaths = [
# "/var/lib/eris" "${cfg.stateDir}"
# "${cfg.stateDir}" "${cfg.cacheDir}"
# "${cfg.cacheDir}" "${cfg.dataDir}"
# "${cfg.dataDir}" ];
# ];
# # Allow reads from config file path
# # Allow reads from config file path ReadOnlyPaths = ["${erisConfigFile}"];
# ReadOnlyPaths = ["${erisConfigFile}"];
# # Explicitly deny access to sensitive paths
# # Explicitly deny access to sensitive paths InaccessiblePaths = [
# InaccessiblePaths = [ "/boot"
# "/boot" "/root"
# "/root" "/home"
# "/home" "/srv"
# "/srv" ];
# ];
PrivateTmp = true; # Use private /tmp and /var/tmp PrivateTmp = true; # Use private /tmp and /var/tmp
PrivateDevices = true; # Restrict device access (/dev) PrivateDevices = true; # Restrict device access (/dev)
@ -341,11 +345,14 @@ in {
preStart = let preStart = let
corporaDir = "${cfg.dataDir}/corpora"; corporaDir = "${cfg.dataDir}/corpora";
scriptsDir = "${cfg.dataDir}/scripts"; scriptsDir = "${cfg.dataDir}/scripts";
confDir = "${cfg.stateDir}/conf";
chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
# Create commands to copy corpora files # Create commands to copy corpora files
copyCorporaCmds = copyCorporaCmds =
lib.mapAttrsToList (name: path: '' lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${corporaDir}/${name} cp -vf ${path} ${corporaDir}/${name}
${chownCmd} ${corporaDir}/${name}
'') '')
cfg.corpora; cfg.corpora;
@ -353,9 +360,13 @@ in {
copyLuaScriptCmds = copyLuaScriptCmds =
lib.mapAttrsToList (name: path: '' lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${scriptsDir}/${name} cp -vf ${path} ${scriptsDir}/${name}
${chownCmd} ${scriptsDir}/${name}
'') '')
cfg.luaScripts; cfg.luaScripts;
in '' in ''
# Create subdirectories only - base directories are created by systemd
mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
# Copy declarative files # Copy declarative files
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)} ${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)} ${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}