NotAShelf/Eris
1
1
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Compare commits

base: NotAShelf:d89fe8ddd501da03b3f43406fa0be933259e6d35
Branches Tags
NotAShelf:main
NotAShelf:multi-site-proxy
..
compare: NotAShelf:18be5ba0417e922412be4f4fbf130514cbef10f1
Branches Tags
NotAShelf:multi-site-proxy
NotAShelf:main

3 commits
d89fe8ddd5 ... 18be5ba041

Author SHA1 Message Date
NotAShelf
18be5ba041
 		docs: add project readme 2025-05-01 18:00:19 +03:00
NotAShelf
b2cee02dd4
 		meta: add contrib 2025-05-01 18:00:18 +03:00
NotAShelf
bc21bfc506
 		nix: get nftables from correct parent attr 
nix: what do you mean `baseNameOf` is not in lib

nix: `pkgs.system` -> `pkgs.hostPlatform.system`

nix: include contrib in pacakge source

nix: fix types
 2025-05-01 17:56:08 +03:00
1 changed files with 26 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

63
nix/module.nix
View file

@ -30,13 +30,6 @@ self: {
config_dir = "${cfg.stateDir}/conf";
cache_dir = cfg.cacheDir;
});
# Check if we need privileged port capability
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
needsPrivilegedPort =
portMatch
!= null
&& builtins.fromJSON (builtins.head portMatch) < 1024;
in {
###### interface
options = {
@ -60,6 +53,7 @@ in {
metricsPort = mkOption {
type = port;
default = 9100;
example = 9110;
description = "The port for the Prometheus metrics endpoint.";
};
@ -73,13 +67,13 @@ in {
minDelay = mkOption {
type = int;
default = 1000;
description = "Minimum delay (in milliseconds) between sending characters in tarpit mode.";
description = "Minimum delay (in ms) between sending characters in tarpit mode.";
};
maxDelay = mkOption {
type = int;
default = 15000;
description = "Maximum delay (in milliseconds) between sending characters in tarpit mode.";
description = "Maximum delay (in ms) between sending characters in tarpit mode.";
};
maxTarpitTime = mkOption {
@ -266,7 +260,7 @@ in {
# Process management
ExecStart = ''
${cfg.package}/bin/eris \
${lib.getExe cfg.package} \
--config-file ${erisConfigFile} \
--log-level ${cfg.logLevel}
'';
@ -282,27 +276,29 @@ in {
# Deny privilege escalation
NoNewPrivileges = true;
# FIXME: this breaks everything.
# Filesystem access control
ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
ProtectHome = true; # Make /home, /root inaccessible
# Explicitly allow writes to state/cache/data dirs
ReadWritePaths = [
"${cfg.stateDir}"
"${cfg.cacheDir}"
"${cfg.dataDir}"
];
# Allow reads from config file path
ReadOnlyPaths = ["${erisConfigFile}"];
# Explicitly deny access to sensitive paths
InaccessiblePaths = [
"/boot"
"/root"
"/home"
"/srv"
];
# ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
# ProtectHome = true; # Make /home, /root inaccessible
#
# # Explicitly allow writes to state/cache/data dirs
# ReadWritePaths = [
# "/var/lib/eris"
# "${cfg.stateDir}"
# "${cfg.cacheDir}"
# "${cfg.dataDir}"
# ];
#
# # Allow reads from config file path
# ReadOnlyPaths = ["${erisConfigFile}"];
#
# # Explicitly deny access to sensitive paths
# InaccessiblePaths = [
# "/boot"
# "/root"
# "/home"
# "/srv"
# ];
PrivateTmp = true; # Use private /tmp and /var/tmp
PrivateDevices = true; # Restrict device access (/dev)
@ -345,14 +341,11 @@ in {
preStart = let
corporaDir = "${cfg.dataDir}/corpora";
scriptsDir = "${cfg.dataDir}/scripts";
confDir = "${cfg.stateDir}/conf";
chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
# Create commands to copy corpora files
copyCorporaCmds =
lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${corporaDir}/${name}
${chownCmd} ${corporaDir}/${name}
'')
cfg.corpora;
@ -360,13 +353,9 @@ in {
copyLuaScriptCmds =
lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${scriptsDir}/${name}
${chownCmd} ${scriptsDir}/${name}
'')
cfg.luaScripts;
in ''
# Create subdirectories only - base directories are created by systemd
mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
# Copy declarative files
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}