diff --git a/nix/module.nix b/nix/module.nix index 49e2c2d..1aeb67d 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -30,13 +30,6 @@ self: { config_dir = "${cfg.stateDir}/conf"; cache_dir = cfg.cacheDir; }); - - # Check if we need privileged port capability - portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress; - needsPrivilegedPort = - portMatch - != null - && builtins.fromJSON (builtins.head portMatch) < 1024; in { ###### interface options = { @@ -60,6 +53,7 @@ in { metricsPort = mkOption { type = port; default = 9100; + example = 9110; description = "The port for the Prometheus metrics endpoint."; }; @@ -73,13 +67,13 @@ in { minDelay = mkOption { type = int; default = 1000; - description = "Minimum delay (in milliseconds) between sending characters in tarpit mode."; + description = "Minimum delay (in ms) between sending characters in tarpit mode."; }; maxDelay = mkOption { type = int; default = 15000; - description = "Maximum delay (in milliseconds) between sending characters in tarpit mode."; + description = "Maximum delay (in ms) between sending characters in tarpit mode."; }; maxTarpitTime = mkOption { @@ -266,7 +260,7 @@ in { # Process management ExecStart = '' - ${cfg.package}/bin/eris \ + ${lib.getExe cfg.package} \ --config-file ${erisConfigFile} \ --log-level ${cfg.logLevel} ''; @@ -282,27 +276,29 @@ in { # Deny privilege escalation NoNewPrivileges = true; + # FIXME: this breaks everything. # Filesystem access control - ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only - ProtectHome = true; # Make /home, /root inaccessible - - # Explicitly allow writes to state/cache/data dirs - ReadWritePaths = [ - "${cfg.stateDir}" - "${cfg.cacheDir}" - "${cfg.dataDir}" - ]; - - # Allow reads from config file path - ReadOnlyPaths = ["${erisConfigFile}"]; - - # Explicitly deny access to sensitive paths - InaccessiblePaths = [ - "/boot" - "/root" - "/home" - "/srv" - ]; + # ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only + # ProtectHome = true; # Make /home, /root inaccessible + # + # # Explicitly allow writes to state/cache/data dirs + # ReadWritePaths = [ + # "/var/lib/eris" + # "${cfg.stateDir}" + # "${cfg.cacheDir}" + # "${cfg.dataDir}" + # ]; + # + # # Allow reads from config file path + # ReadOnlyPaths = ["${erisConfigFile}"]; + # + # # Explicitly deny access to sensitive paths + # InaccessiblePaths = [ + # "/boot" + # "/root" + # "/home" + # "/srv" + # ]; PrivateTmp = true; # Use private /tmp and /var/tmp PrivateDevices = true; # Restrict device access (/dev) @@ -345,14 +341,11 @@ in { preStart = let corporaDir = "${cfg.dataDir}/corpora"; scriptsDir = "${cfg.dataDir}/scripts"; - confDir = "${cfg.stateDir}/conf"; - chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}"; # Create commands to copy corpora files copyCorporaCmds = lib.mapAttrsToList (name: path: '' cp -vf ${path} ${corporaDir}/${name} - ${chownCmd} ${corporaDir}/${name} '') cfg.corpora; @@ -360,13 +353,9 @@ in { copyLuaScriptCmds = lib.mapAttrsToList (name: path: '' cp -vf ${path} ${scriptsDir}/${name} - ${chownCmd} ${scriptsDir}/${name} '') cfg.luaScripts; in '' - # Create subdirectories only - base directories are created by systemd - mkdir -p ${confDir} ${corporaDir} ${scriptsDir} - # Copy declarative files ${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)} ${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}