Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- { config, lib, pkgs, ... }:
- let
- name = "zeek";
- cfg = config.services.zeek;
- in {
- ###### interface
- options.services.zeek = {
- enable = lib.mkOption {
- type = lib.types.bool;
- description = "Whether to enable Zeek.";
- default = false;
- };
- interface = lib.mkOption {
- type = lib.types.str;
- };
- };
- ###### implementation
- config = lib.mkIf cfg.enable {
- systemd.services.zeek = {
- description = "Zeek network monitor";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
- serviceConfig = {
- #DynamicUser = true;
- PermissionsStartOnly = true;
- ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/zeek";
- ExecStart = "${pkgs.zeek}/bin/zeek -i ${cfg.interface}";
- CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
- #NoNewPrivileges = true;
- #ProtectControlGroups = true;
- #ProtectKernelModules = true;
- #ProtectKernelTunables = true;
- #ProtectSystem = true;
- #RestrictAddressFamilies = "AF_INET AF_INET6 AF_PACKET AF_UNIX";
- #RestrictNamespaces = true;
- RuntimeDirectory = name;
- StateDirectory = name;
- WorkingDirectory = /var/log/zeek;
- };
- };
- security.wrappers.zeek-packet = {
- source = "${pkgs.zeek}/bin/zeek";
- capabilities = "cap_net_raw+eip";
- };
- };
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
