1 files changed, 80 insertions, 109 deletions
diff --git a/nix/service.mod.nix b/nix/service.mod.nix
index b87418b..6b28370 100644
--- a/nix/service.mod.nix
+++ b/nix/service.mod.nix
@@ -14,66 +14,45 @@ let
      value = f cfg;
    }) cfg.monitors;
-  monitor.options = {
+  monitor = { name, ... }: {
-    enable = lib.mkOption {
+    options = {
-      type = lib.types.bool;
+      monitor = lib.mkOption {
-      default = true;
+        type = lib.types.str;
-      description = "Whether to enable this monitor.";
+        example = "ping";
-    };
+        description = "Type of this monitor.";
-    monitor = lib.mkOption {
-      type = lib.types.str;
-      example = "ping";
-      description = "Type of this monitor.";
-    };
-    target = lib.mkOption {
-      type = lib.types.str;
-      example = "6/example.net";
-      description = "Target of this monitor.";
-    };
-    settings = lib.mkOption {
-      type =
-        with lib.types;
-        attrsOf (oneOf [
-          str
-          int
-          bool
-        ]);
-      example = {
-        timestamp = "none";
-        range = "0:100";
      };
-      description = "Settings for this monitor.";
-    };
-    logFile = lib.mkOption {
+      target = lib.mkOption {
-      type = lib.types.str;
+        type = lib.types.str;
-      default = "";
+        example = "6/example.net";
-      description = ''
+        description = "Target of this monitor.";
-        Path to output log file for this monitor.
+      };
-        Must be writable by this monitor's user.
-        Leave empty to log to the service's journald.
-      '';
-    };
-    user = lib.mkOption {
+      settings = lib.mkOption {
-      type = lib.types.str;
+        type =
-      default = "";
+          with lib.types;
-      description = ''
+          attrsOf (oneOf [
-        User as which to run this monitor.
+            str
-        Leave empty to use a restricted dynamically-allocated user.
+            int
-      '';
+            bool
-    };
+          ]);
+        default = { };
+        example = {
+          timestamp = "none";
+          range = "0:100";
+        };
+        description = "Settings for this monitor.";
+      };
-    group = lib.mkOption {
+      logFile = lib.mkOption {
-      type = lib.types.str;
+        type = lib.types.str;
-      default = "";
+        default = "/var/log/tickwatch/${name}.log";
-      description = ''
+        description = ''
-        Group as which to run this monitor.
+          Path to output log file for this monitor.
-        Leave empty to use a restricted dynamically-allocated group.
+          Must be writable by this monitor's user.
-      '';
+          Set to empty to log to the service's journald.
+        '';
+      };
    };
  };
@@ -112,59 +91,51 @@ in
        } ${lib.optionalString (monCfg.logFile != "") ">> ${monCfg.logFile}"}
      '';
-      serviceConfig =
+      serviceConfig = {
-        {
+        Restart = "on-failure";
-          Restart = "on-failure";
+        RestartSec = 30;
-          RestartSec = 30;
+        DynamicUser = true;
-          # for ping monitor
+        User = "tickwatch";
-          CapabilityBoundingSet = [ "CAP_NET_RAW" ];
+        Group = "tickwatch";
-          AmbientCapabilities = [ "CAP_NET_RAW" ];
+        LogsDirectory = "tickwatch";
-          PrivateNetwork = false;
+        # for ping monitor
-          # service hardening
+        CapabilityBoundingSet = [ "CAP_NET_RAW" ];
-          PrivateTmp = true;
+        AmbientCapabilities = [ "CAP_NET_RAW" ];
-          PrivateDevices = true;
+        PrivateNetwork = false;
-          ProtectKernelTunables = true;
-          ProtectControlGroups = true;
+        # service hardening
-          RestrictSUIDSGID = true;
+        PrivateTmp = true;
-          ProtectKernelModules = true;
+        PrivateDevices = true;
-          SystemCallArchitectures = "native";
+        ProtectKernelTunables = true;
-          PrivateMounts = true;
+        ProtectControlGroups = true;
-          LockPersonality = true;
+        RestrictSUIDSGID = true;
-          ProtectHostname = true;
+        ProtectKernelModules = true;
-          RestrictRealtime = true;
+        SystemCallArchitectures = "native";
-          ProtectSystem = "strict";
+        PrivateMounts = true;
-          ProtectHome = true;
+        LockPersonality = true;
-          NoNewPrivileges = true;
+        ProtectHostname = true;
-          RestrictAddressFamilies = [
+        RestrictRealtime = true;
-            "AF_INET"
+        ProtectSystem = "strict";
-            "AF_INET6"
+        ProtectHome = true;
-          ];
+        NoNewPrivileges = true;
-          MemoryDenyWriteExecute = true;
+        RestrictAddressFamilies = [
-          PrivateUsers = false;
+          "AF_INET"
-          SystemCallErrorNumber = "EPERM";
+          "AF_INET6"
-          SystemCallFilter = [ "@system-service" ];
+        ];
-          ProtectKernelLogs = true;
+        MemoryDenyWriteExecute = true;
-          DevicePolicy = "closed";
+        PrivateUsers = false;
-          ProtectClock = true;
+        SystemCallErrorNumber = "EPERM";
-          ProtectProc = "noaccess";
+        SystemCallFilter = [ "@system-service" ];
-          ProcSubset = "pid";
+        ProtectKernelLogs = true;
-          RestrictNamespaces = true;
+        DevicePolicy = "closed";
-          RemoveIPC = true;
+        ProtectClock = true;
-          UMask = "0077";
+        ProtectProc = "noaccess";
-        }
+        ProcSubset = "pid";
-        // (
+        RestrictNamespaces = true;
-          if (monCfg.user != "" || monCfg.group != "") then
+        RemoveIPC = true;
-            {
+      };
-              User = monCfg.user;
-              Group = monCfg.group;
-            }
-          else
-            {
-              DynamicUser = true;
-            }
-        );
    });
  };
 }

diff --git a/nix/service.mod.nix b/nix/service.mod.nix index b87418b..6b28370 100644 --- a/nix/service.mod.nix +++ b/nix/service.mod.nix
@@ -14,66 +14,45 @@ let
14	value = f cfg;	14	value = f cfg;
15	}) cfg.monitors;	15	}) cfg.monitors;
16		16
17	monitor.options = {	17	monitor = { name, ... }: {
18	enable = lib.mkOption {	18	options = {
19	type = lib.types.bool;	19	monitor = lib.mkOption {
20	default = true;	20	type = lib.types.str;
21	description = "Whether to enable this monitor.";	21	example = "ping";
22	};	22	description = "Type of this monitor.";
23
24	monitor = lib.mkOption {
25	type = lib.types.str;
26	example = "ping";
27	description = "Type of this monitor.";
28	};
29
30	target = lib.mkOption {
31	type = lib.types.str;
32	example = "6/example.net";
33	description = "Target of this monitor.";
34	};
35
36	settings = lib.mkOption {
37	type =
38	with lib.types;
39	attrsOf (oneOf [
40	str
41	int
42	bool
43	]);
44	example = {
45	timestamp = "none";
46	range = "0:100";
47	};	23	};
48	description = "Settings for this monitor.";
49	};
50		24
51	logFile = lib.mkOption {	25	target = lib.mkOption {
52	type = lib.types.str;	26	type = lib.types.str;
53	default = "";	27	example = "6/example.net";
54	description = ''	28	description = "Target of this monitor.";
55	Path to output log file for this monitor.	29	};
56	Must be writable by this monitor's user.
57	Leave empty to log to the service's journald.
58	'';
59	};
60		30
61	user = lib.mkOption {	31	settings = lib.mkOption {
62	type = lib.types.str;	32	type =
63	default = "";	33	with lib.types;
64	description = ''	34	attrsOf (oneOf [
65	User as which to run this monitor.	35	str
66	Leave empty to use a restricted dynamically-allocated user.	36	int
67	'';	37	bool
68	};	38	]);
		39	default = { };
		40	example = {
		41	timestamp = "none";
		42	range = "0:100";
		43	};
		44	description = "Settings for this monitor.";
		45	};
69		46
70	group = lib.mkOption {	47	logFile = lib.mkOption {
71	type = lib.types.str;	48	type = lib.types.str;
72	default = "";	49	default = "/var/log/tickwatch/${name}.log";
73	description = ''	50	description = ''
74	Group as which to run this monitor.	51	Path to output log file for this monitor.
75	Leave empty to use a restricted dynamically-allocated group.	52	Must be writable by this monitor's user.
76	'';	53	Set to empty to log to the service's journald.
		54	'';
		55	};
77	};	56	};
78	};	57	};
79		58
@@ -112,59 +91,51 @@ in
112	} ${lib.optionalString (monCfg.logFile != "") ">> ${monCfg.logFile}"}	91	} ${lib.optionalString (monCfg.logFile != "") ">> ${monCfg.logFile}"}
113	'';	92	'';
114		93
115	serviceConfig =	94	serviceConfig = {
116	{	95	Restart = "on-failure";
117	Restart = "on-failure";	96	RestartSec = 30;
118	RestartSec = 30;	97
119		98	DynamicUser = true;
120	# for ping monitor	99	User = "tickwatch";
121	CapabilityBoundingSet = [ "CAP_NET_RAW" ];	100	Group = "tickwatch";
122	AmbientCapabilities = [ "CAP_NET_RAW" ];	101	LogsDirectory = "tickwatch";
123	PrivateNetwork = false;	102
124		103	# for ping monitor
125	# service hardening	104	CapabilityBoundingSet = [ "CAP_NET_RAW" ];
126	PrivateTmp = true;	105	AmbientCapabilities = [ "CAP_NET_RAW" ];
127	PrivateDevices = true;	106	PrivateNetwork = false;
128	ProtectKernelTunables = true;	107
129	ProtectControlGroups = true;	108	# service hardening
130	RestrictSUIDSGID = true;	109	PrivateTmp = true;
131	ProtectKernelModules = true;	110	PrivateDevices = true;
132	SystemCallArchitectures = "native";	111	ProtectKernelTunables = true;
133	PrivateMounts = true;	112	ProtectControlGroups = true;
134	LockPersonality = true;	113	RestrictSUIDSGID = true;
135	ProtectHostname = true;	114	ProtectKernelModules = true;
136	RestrictRealtime = true;	115	SystemCallArchitectures = "native";
137	ProtectSystem = "strict";	116	PrivateMounts = true;
138	ProtectHome = true;	117	LockPersonality = true;
139	NoNewPrivileges = true;	118	ProtectHostname = true;
140	RestrictAddressFamilies = [	119	RestrictRealtime = true;
141	"AF_INET"	120	ProtectSystem = "strict";
142	"AF_INET6"	121	ProtectHome = true;
143	];	122	NoNewPrivileges = true;
144	MemoryDenyWriteExecute = true;	123	RestrictAddressFamilies = [
145	PrivateUsers = false;	124	"AF_INET"
146	SystemCallErrorNumber = "EPERM";	125	"AF_INET6"
147	SystemCallFilter = [ "@system-service" ];	126	];
148	ProtectKernelLogs = true;	127	MemoryDenyWriteExecute = true;
149	DevicePolicy = "closed";	128	PrivateUsers = false;
150	ProtectClock = true;	129	SystemCallErrorNumber = "EPERM";
151	ProtectProc = "noaccess";	130	SystemCallFilter = [ "@system-service" ];
152	ProcSubset = "pid";	131	ProtectKernelLogs = true;
153	RestrictNamespaces = true;	132	DevicePolicy = "closed";
154	RemoveIPC = true;	133	ProtectClock = true;
155	UMask = "0077";	134	ProtectProc = "noaccess";
156	}	135	ProcSubset = "pid";
157	// (	136	RestrictNamespaces = true;
158	if (monCfg.user != "" \|\| monCfg.group != "") then	137	RemoveIPC = true;
159	{	138	};
160	User = monCfg.user;
161	Group = monCfg.group;
162	}
163	else
164	{
165	DynamicUser = true;
166	}
167	);
168	});	139	});
169	};	140	};
170	}	141	}