Guest User

Untitled

a guest
Nov 20th, 2019
153
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. { config, lib, pkgs, ... }:
  2.  
  3. let
  4. name = "zeek";
  5.  
  6. cfg = config.services.zeek;
  7.  
  8. in {
  9.  
  10. ###### interface
  11.  
  12. options.services.zeek = {
  13. enable = lib.mkOption {
  14. type = lib.types.bool;
  15. description = "Whether to enable Zeek.";
  16. default = false;
  17. };
  18.  
  19. interface = lib.mkOption {
  20. type = lib.types.str;
  21. };
  22.  
  23. };
  24.  
  25. ###### implementation
  26.  
  27. config = lib.mkIf cfg.enable {
  28. systemd.services.zeek = {
  29. description = "Zeek network monitor";
  30. wantedBy = [ "multi-user.target" ];
  31. after = [ "network.target" ];
  32. serviceConfig = {
  33. #DynamicUser = true;
  34. PermissionsStartOnly = true;
  35. ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/zeek";
  36. ExecStart = "${pkgs.zeek}/bin/zeek -i ${cfg.interface}";
  37. CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
  38. #NoNewPrivileges = true;
  39. #ProtectControlGroups = true;
  40. #ProtectKernelModules = true;
  41. #ProtectKernelTunables = true;
  42. #ProtectSystem = true;
  43. #RestrictAddressFamilies = "AF_INET AF_INET6 AF_PACKET AF_UNIX";
  44. #RestrictNamespaces = true;
  45. RuntimeDirectory = name;
  46. StateDirectory = name;
  47. WorkingDirectory = /var/log/zeek;
  48. };
  49. };
  50. security.wrappers.zeek-packet = {
  51. source = "${pkgs.zeek}/bin/zeek";
  52. capabilities = "cap_net_raw+eip";
  53. };
  54. };
  55. }
RAW Paste Data