ynetd: add nixos module #391184
ynetd: add nixos module #391184
Conversation
github-actions
bot
added
6.topic: nixos
github-actions
bot
added
10.rebuild-darwin: 0
|
I don’t think this is the place/time to run the formatter on the all-test.nix file unfortunately. |
|
oops, I completely missed how much that formatted. I'll undo that in the morning ! |
haylinmoore
force-pushed
the
ynetd-service
branch
from
77e5889 to
d625ccd
Compare
| ${instanceCfg.extraFlags} \ | ||
| "${instanceCfg.command}" | ||
| ''; | ||
| User = "root"; |
There was a problem hiding this comment.
Does this need to be root? Can a systemd user or whatever not be used?
There was a problem hiding this comment.
This is the bit I feel a little uneasy regarding, I have a little explanation in the second paragraph of my PR, like we could set it to a less powerful user, but then for cgroups I believe it would need CAP_SYS_ADMIN at which point it's basically root just under another name.
There was a problem hiding this comment.
I think if I go through and model more of the flags I can dynamically apply some of the CAP for the unhardened ynetd. I'll go through and see how this looks
h7x4
added
8.has: module (new)
Introduces a nixos module for setting up ynetd instances. Bear with me this is my first nixos module.
I'm not 100% sure about my way of modeling it with multiple instances. I firmly believe that however it is made should allow for multiple instances since it's more akin to NGINX with multiple virtual hosts, than a service that would just have one instance running per host-machine, I'm just not sure if this is the best way to model it.
It might also make sense to have a toggle to specify what user the systemd service will be running as (or maybe tighten it down to be a non-root user, but then give it all the privileges needed. For this case CAP_SETUID and CAP_SETGID come to mind, but for ynetd.hardened/ctf-ynetd it would also need the ability to manage cgroups and I don't know the proper permissions for that besides CAP_SYS_ADMIN which just basically becomes root. That being said I imagine most users of this where security is a concern (like CTFs where the aim is to pwn a binary) will do it inside of a nix container/vm anyways.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.