diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/wireshark.nix | 42 | ||||
-rw-r--r-- | nixos/modules/security/wrappers/default.nix | 3 |
3 files changed, 45 insertions, 1 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5cd60e1b9d78..a304336c731e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -93,6 +93,7 @@ ./programs/tmux.nix ./programs/venus.nix ./programs/vim.nix + ./programs/wireshark.nix ./programs/wvdial.nix ./programs/xfs_quota.nix ./programs/xonsh.nix diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix new file mode 100644 index 000000000000..710d223b6f59 --- /dev/null +++ b/nixos/modules/programs/wireshark.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.wireshark; + wireshark = cfg.package; +in { + options = { + programs.wireshark = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add Wireshark to the global environment and configure a + setcap wrapper for 'dumpcap' for users in the 'wireshark' group. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.wireshark-cli; + defaultText = "pkgs.wireshark-cli"; + description = '' + Which Wireshark package to install in the global environment. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ wireshark ]; + users.extraGroups.wireshark = {}; + + security.wrappers.dumpcap = { + source = "${wireshark}/bin/dumpcap"; + capabilities = "cap_net_raw+p"; + owner = "root"; + group = "wireshark"; + permissions = "u+rx,g+x"; + }; + }; +} diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 861ce225257d..52f251876605 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -28,6 +28,7 @@ let , source , owner ? "nobody" , group ? "nogroup" + , permissions ? "u+rx,g+x,o+x" , ... }: assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); @@ -45,7 +46,7 @@ let ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} # Set the executable bit - chmod u+rx,g+x,o+x $wrapperDir/${program} + chmod ${permissions} $wrapperDir/${program} ''; ###### Activation script for the setuid wrappers |