colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bandwhich: ship

Browse Source
This commit is contained in:
Colin
2024-11-18 20:52:16 +00:00
parent c975831cc4
commit 2f703ef694
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/common/programs/assorted.nix
View File

@@ -35,6 +35,7 @@ in
sysadminUtils = declPackageSet [ sysadminUtils = declPackageSet [
"ausyscall" "ausyscall"
"bandwhich" # network/bandwidth monitor
"bridge-utils" # for brctl; debug linux "bridge" inet devices "bridge-utils" # for brctl; debug linux "bridge" inet devices
"btrfs-progs" "btrfs-progs"
"cacert.unbundled" # some services require unbundled /etc/ssl/certs "cacert.unbundled" # some services require unbundled /etc/ssl/certs
@@ -427,6 +428,20 @@ in
backblaze-b2 = {}; backblaze-b2 = {};
bandwhich.sandbox.capabilities = [
# it recommends these caps
# - new_raw is absolutely required
# - dac_read_search + sys_ptrace are required to associate traffic with process names
# - net_admin is... seemingly not actually required for anything?
"dac_read_search"
# "net_admin"
"net_raw"
"sys_ptrace"
];
bandwhich.sandbox.keepPids = true; #< so it can determine process names
bandwhich.sandbox.tryKeepUsers = true;
bandwhich.sandbox.net = "all";
bash-language-server.sandbox.whitelistPwd = true; bash-language-server.sandbox.whitelistPwd = true;
blanket.buildCost = 1; blanket.buildCost = 1;