SHARE
TWEET

Untitled

a guest Nov 20th, 2019 135 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. { config, lib, pkgs, ... }:
  2.  
  3. let
  4.   name = "zeek";
  5.  
  6.   cfg = config.services.zeek;
  7.  
  8. in {
  9.  
  10.   ###### interface
  11.  
  12.   options.services.zeek = {
  13.     enable = lib.mkOption {
  14.       type = lib.types.bool;
  15.       description = "Whether to enable Zeek.";
  16.       default = false;
  17.     };
  18.  
  19.     interface = lib.mkOption {
  20.       type = lib.types.str;
  21.     };
  22.  
  23.   };
  24.  
  25.   ###### implementation
  26.  
  27.   config = lib.mkIf cfg.enable {
  28.     systemd.services.zeek = {
  29.       description = "Zeek network monitor";
  30.       wantedBy = [ "multi-user.target" ];
  31.       after = [ "network.target" ];
  32.       serviceConfig = {
  33.         #DynamicUser = true;
  34.         PermissionsStartOnly = true;
  35.         ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/zeek";
  36.         ExecStart = "${pkgs.zeek}/bin/zeek -i ${cfg.interface}";
  37.         CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
  38.         #NoNewPrivileges = true;
  39.         #ProtectControlGroups = true;
  40.         #ProtectKernelModules = true;
  41.         #ProtectKernelTunables = true;
  42.         #ProtectSystem = true;
  43.         #RestrictAddressFamilies = "AF_INET AF_INET6 AF_PACKET AF_UNIX";
  44.         #RestrictNamespaces = true;
  45.         RuntimeDirectory = name;
  46.         StateDirectory = name;
  47.         WorkingDirectory = /var/log/zeek;
  48.       };
  49.     };
  50.     security.wrappers.zeek-packet = {
  51.       source = "${pkgs.zeek}/bin/zeek";
  52.       capabilities = "cap_net_raw+eip";
  53.     };
  54.   };
  55. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top