From 904e1bd265e142d10fa8ca4812a11a8388c5bf7c Mon Sep 17 00:00:00 2001 From: Jordan Doyle Date: Sun, 25 Jun 2023 12:13:26 +0100 Subject: [PATCH] Add flake.nix --- .gitignore | 1 + flake.lock | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 194 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore index 9a5bb84..3f08895 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /target audit.jsonl +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..ba66cc2 --- /dev/null +++ b/flake.lock @@ -0,0 +1,95 @@ +{ + "nodes": { + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1686572087, + "narHash": "sha256-jXTut7ZSYqLEgm/nTk7TuVL2ExahTip605bLINklAnQ=", + "owner": "nix-community", + "repo": "naersk", + "rev": "8507af04eb40c5520bd35d9ce6f9d2342cea5ad1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1687518131, + "narHash": "sha256-KirltRIc4SFfk8bTNudIqgKAALH5oqpW3PefmkfWK5M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3d8a93602bc54ece7a4e689d9aea1a574e2bbc24", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1687518131, + "narHash": "sha256-KirltRIc4SFfk8bTNudIqgKAALH5oqpW3PefmkfWK5M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3d8a93602bc54ece7a4e689d9aea1a574e2bbc24", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1687171271, + "narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..84bc4e7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,98 @@ +{ + inputs = { + naersk.url = "github:nix-community/naersk/master"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, utils, naersk }: + utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + naersk-lib = pkgs.callPackage naersk { }; + in + { + formatter = nixpkgs.legacyPackages."${system}".nixpkgs-fmt; + + defaultPackage = naersk-lib.buildPackage { + src = ./.; + nativeBuildInputs = with pkgs; [ pkg-config ]; + buildInputs = with pkgs; [ libsodium ]; + }; + devShell = with pkgs; mkShell { + buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ]; + RUST_SRC_PATH = rustPlatform.rustLibSrc; + }; + + nixosModules.default = { config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.pisshoff; + in + { + options.services.pisshoff = { + enable = mkEnableOption "pisshoff"; + settings = mkOption { + type = (pkgs.formats.toml { }).type; + default = { }; + description = "Specify the configuration for pisshoff in Nix"; + }; + }; + + config = mkIf cfg.enable { + systemd.sockets.pisshoff = { + wantedBy = [ "sockets.target" ]; + + socketConfig = { + ListenStream = 22; + BindIPv6Only = "both"; + Accept = "no"; + }; + }; + + systemd.services.pisshoff = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = + let + format = pkgs.formats.toml { }; + conf = format.generate "pisshoff.toml" cfg.settings; + in + { + Type = "exec"; + ExecStart = "${self.defaultPackage."${system}"}/bin/pisshoff -c \"${conf}\""; + Restart = "on-failure"; + + LogsDirectory = "pisshoff"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateMounts = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectSystem = "strict"; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + MemoryDenyWriteExecute = true; + DynamicUser = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; + }; + }); +} -- libgit2 1.7.2