diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-02-16 21:53:09 +0100 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2017-02-17 15:42:54 +0100 |
| commit | 8f3e6fdd8cb68af56d40e646be3077e319769a4e (patch) | |
| tree | 41ae16104b9d5cf64ad14e09902efd6cbffdaaa9 /nixos/modules | |
| parent | 070825d443a384e8cf2928bab0367d430aaeca75 (diff) | |
| download | nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar.gz nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar.bz2 nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar.lz nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar.xz nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.tar.zst nixlib-8f3e6fdd8cb68af56d40e646be3077e319769a4e.zip | |
nixos: add programs.wireshark option
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
programs.wireshark.enable = true;
The setuid wrapper is available for users in the 'wireshark' group.
Changes v1 -> v2:
- add "defaultText" to the programs.wireshark.package option (AFAIK,
that prevents the manual from being needlessly rebuilt when the
package changes)
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/programs/wireshark.nix | 57 |
3 files changed, 60 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index d51b29b99dae..a3845737410d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,6 +288,7 @@ kresd = 270; rpc = 271; geoip = 272; + #wireshark = 273; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -545,6 +546,7 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused + wireshark = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 81597d91d89a..e60f93d52d98 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -91,6 +91,7 @@ ./programs/tmux.nix ./programs/venus.nix ./programs/vim.nix + ./programs/wireshark.nix ./programs/wvdial.nix ./programs/xfs_quota.nix ./programs/xonsh.nix diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix new file mode 100644 index 000000000000..aaaf678d362c --- /dev/null +++ b/nixos/modules/programs/wireshark.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.wireshark; + wireshark = cfg.package; + +in + +{ + + options = { + + programs.wireshark = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add Wireshark to the global environment and configure a + setuid wrapper for 'dumpcap' for users in the 'wireshark' group. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.wireshark-cli; + defaultText = "pkgs.wireshark-cli"; + description = '' + Which Wireshark package to install in the global environment. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ wireshark ]; + + security.wrappers.dumpcap = { + source = "${wireshark}/bin/dumpcap"; + owner = "root"; + group = "wireshark"; + setuid = true; + setgid = false; + permissions = "u+rx,g+x"; + }; + + users.extraGroups.wireshark.gid = config.ids.gids.wireshark; + + }; + +} |