NotAShelf/Eris
1
1
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Compare commits

base: NotAShelf:d89fe8ddd501da03b3f43406fa0be933259e6d35
Branches Tags
NotAShelf:main
NotAShelf:multi-site-proxy
..
compare: NotAShelf:18be5ba0417e922412be4f4fbf130514cbef10f1
Branches Tags
NotAShelf:multi-site-proxy
NotAShelf:main

3 commits
d89fe8ddd5 ... 18be5ba041

Author SHA1 Message Date
NotAShelf
18be5ba041
 		docs: add project readme 2025-05-01 18:00:19 +03:00
NotAShelf
b2cee02dd4
 		meta: add contrib 2025-05-01 18:00:18 +03:00
NotAShelf
bc21bfc506
 		nix: get nftables from correct parent attr 
nix: what do you mean `baseNameOf` is not in lib

nix: `pkgs.system` -> `pkgs.hostPlatform.system`

nix: include contrib in pacakge source

nix: fix types
 2025-05-01 17:56:08 +03:00
1 changed files with 26 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

63
nix/module.nix
View file

@ -30,13 +30,6 @@ self: {
config_dir = "${cfg.stateDir}/conf"; config_dir = "${cfg.stateDir}/conf";
cache_dir = cfg.cacheDir; cache_dir = cfg.cacheDir;
}); });
# Check if we need privileged port capability
portMatch = builtins.match ".*:([0-9]+)" cfg.listenAddress;
needsPrivilegedPort =
portMatch
!= null
&& builtins.fromJSON (builtins.head portMatch) < 1024;
in { in {
###### interface ###### interface
options = { options = {
@ -60,6 +53,7 @@ in {
metricsPort = mkOption { metricsPort = mkOption {
type = port; type = port;
default = 9100; default = 9100;
example = 9110;
description = "The port for the Prometheus metrics endpoint."; description = "The port for the Prometheus metrics endpoint.";
}; };
@ -73,13 +67,13 @@ in {
minDelay = mkOption { minDelay = mkOption {
type = int; type = int;
default = 1000; default = 1000;
description = "Minimum delay (in milliseconds) between sending characters in tarpit mode."; description = "Minimum delay (in ms) between sending characters in tarpit mode.";
}; };
maxDelay = mkOption { maxDelay = mkOption {
type = int; type = int;
default = 15000; default = 15000;
description = "Maximum delay (in milliseconds) between sending characters in tarpit mode."; description = "Maximum delay (in ms) between sending characters in tarpit mode.";
}; };
maxTarpitTime = mkOption { maxTarpitTime = mkOption {
@ -266,7 +260,7 @@ in {
# Process management # Process management
ExecStart = '' ExecStart = ''
${cfg.package}/bin/eris \ ${lib.getExe cfg.package} \
--config-file ${erisConfigFile} \ --config-file ${erisConfigFile} \
--log-level ${cfg.logLevel} --log-level ${cfg.logLevel}
''; '';
@ -282,27 +276,29 @@ in {
# Deny privilege escalation # Deny privilege escalation
NoNewPrivileges = true; NoNewPrivileges = true;
# FIXME: this breaks everything.
# Filesystem access control # Filesystem access control
ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only # ProtectSystem = "strict"; # Mount /usr, /boot, /etc read-only
ProtectHome = true; # Make /home, /root inaccessible # ProtectHome = true; # Make /home, /root inaccessible
#
# Explicitly allow writes to state/cache/data dirs # # Explicitly allow writes to state/cache/data dirs
ReadWritePaths = [ # ReadWritePaths = [
"${cfg.stateDir}" # "/var/lib/eris"
"${cfg.cacheDir}" # "${cfg.stateDir}"
"${cfg.dataDir}" # "${cfg.cacheDir}"
]; # "${cfg.dataDir}"
# ];
# Allow reads from config file path #
ReadOnlyPaths = ["${erisConfigFile}"]; # # Allow reads from config file path
# ReadOnlyPaths = ["${erisConfigFile}"];
# Explicitly deny access to sensitive paths #
InaccessiblePaths = [ # # Explicitly deny access to sensitive paths
"/boot" # InaccessiblePaths = [
"/root" # "/boot"
"/home" # "/root"
"/srv" # "/home"
]; # "/srv"
# ];
PrivateTmp = true; # Use private /tmp and /var/tmp PrivateTmp = true; # Use private /tmp and /var/tmp
PrivateDevices = true; # Restrict device access (/dev) PrivateDevices = true; # Restrict device access (/dev)
@ -345,14 +341,11 @@ in {
preStart = let preStart = let
corporaDir = "${cfg.dataDir}/corpora"; corporaDir = "${cfg.dataDir}/corpora";
scriptsDir = "${cfg.dataDir}/scripts"; scriptsDir = "${cfg.dataDir}/scripts";
confDir = "${cfg.stateDir}/conf";
chownCmd = "${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group}";
# Create commands to copy corpora files # Create commands to copy corpora files
copyCorporaCmds = copyCorporaCmds =
lib.mapAttrsToList (name: path: '' lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${corporaDir}/${name} cp -vf ${path} ${corporaDir}/${name}
${chownCmd} ${corporaDir}/${name}
'') '')
cfg.corpora; cfg.corpora;
@ -360,13 +353,9 @@ in {
copyLuaScriptCmds = copyLuaScriptCmds =
lib.mapAttrsToList (name: path: '' lib.mapAttrsToList (name: path: ''
cp -vf ${path} ${scriptsDir}/${name} cp -vf ${path} ${scriptsDir}/${name}
${chownCmd} ${scriptsDir}/${name}
'') '')
cfg.luaScripts; cfg.luaScripts;
in '' in ''
# Create subdirectories only - base directories are created by systemd
mkdir -p ${confDir} ${corporaDir} ${scriptsDir}
# Copy declarative files # Copy declarative files
${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)} ${lib.optionalString (cfg.corpora != {}) (toString copyCorporaCmds)}
${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)} ${lib.optionalString (cfg.luaScripts != {}) (toString copyLuaScriptCmds)}