nixos/iftop: add module

This patch is heavily inspired by bd0d8ed807d29faa3deee96bafcbbd76c8fa4060 which added
a setcap wrapper for `mtr` in order to allow running `mtr` without
`sudo`. The need for the capability `cap_net_raw` that can be registered using
`setcap` has been documented in the Arch Wiki: https://wiki.archlinux.org/index.php/Capabilities#iftop

A simple testcase has been added which starts two machines, one with a
setcap wrapper for `iftop`, one without. Both testcases monitor the
bandwidth usage of the machine using the options `-t -s 1` once, the
machine with setcap wrapper is expected to succeed, the `iftop` on the
machine without setcap wrapper is expected to return a non-zero exit
code.

1 files changed, 18 insertions, 0 deletions

diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix
new file mode 100644
index 000000000000..a98a9a8187d4
--- /dev/null
+++ b/nixos/modules/programs/iftop.nix
@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.iftop;
+in {
+  options = {
+    programs.iftop.enable = mkEnableOption "iftop + setcap wrapper";
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.iftop ];
+    security.wrappers.iftop = {
+      source = "${pkgs.iftop}/bin/iftop";
+      capabilities = "cap_net_raw+p";
+    };
+  };
+}