Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't hardcode PATH #7

Merged
merged 3 commits into from
Jan 4, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions modules/kolide-launcher/default.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
flake: { config, lib, pkgs, ... }:

let
inherit (lib) types mkEnableOption mkOption mkIf;
inherit (lib) types mkEnableOption mkOption mkIf optional;
inherit (flake.packages.x86_64-linux) kolide-launcher;
cfg = config.services.kolide-launcher;
in
Expand Down Expand Up @@ -54,10 +54,38 @@ in
after = [ "network.service" "syslog.service" ];
wantedBy = [ "multi-user.target" ];

path = with pkgs; [ patchelf ];
# Hard requirements should go in list; optional requirements should be added as optional.
# Intentionally not included because they aren't supported on Nix:
# - CrowdStrike (falconctl, falcon-kernel-check)
# - Carbon Black (repcli)
# - dnf (related libraries dnf5, libdnf, and microdnf are available, but nothing provides the dnf binary)
# - x-www-browser (symlink created via `update-alternatives`, which isn't available)
path = with pkgs; [
patchelf # Required to auto-update successfully
systemd # Provides loginctl, systemctl; loginctl required to run desktop
xdg-utils # Provides xdg-open, required to open browser from notifications and menu bar app
]
++ optional (builtins.elem apt config.environment.systemPackages) apt
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i.e.: "if apt is in system packages, then append it to the path list".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To understand Nix syntax, this is the best/quickest overview I've found

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hoping we can autogen this from allowedcmd

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I am hoping we can do that eventually too. It's a bit of a pain to track down what nix package provides which commands, though, so it wasn't simple to do here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm imagining we'll need to record those in allowdcmd

++ optional (builtins.elem cryptsetup config.environment.systemPackages) cryptsetup
++ optional (builtins.elem coreutils-full config.environment.systemPackages) coreutils-full # Provides echo
++ optional (builtins.elem dpkg config.environment.systemPackages) dpkg
++ optional (builtins.elem glib config.environment.systemPackages) glib # Provides gsettings
++ optional (builtins.elem gnome.gnome-shell config.environment.systemPackages) gnome.gnome-shell # Provides gnome-extensions
++ optional (builtins.elem iproute2 config.environment.systemPackages) iproute2 # Provides ip
++ optional (builtins.elem libnotify config.environment.systemPackages) libnotify # Provides notify-send
++ optional (builtins.elem lsof config.environment.systemPackages) lsof
++ optional (builtins.elem nettools config.environment.systemPackages) nettools # Provides ifconfig
++ optional (builtins.elem networkmanager config.environment.systemPackages) networkmanager # Provides nmcli
++ optional (builtins.elem pacman config.environment.systemPackages) pacman
++ optional (builtins.elem procps config.environment.systemPackages) procps # Provides ps
++ optional (builtins.elem rpm config.environment.systemPackages) rpm
++ optional (builtins.elem xorg.xrdb config.environment.systemPackages) xorg.xrdb # Provides xrdb
++ optional (builtins.elem util-linux config.environment.systemPackages) util-linux # Provides lsblk
++ optional (builtins.elem zerotierone config.environment.systemPackages) zerotierone # Provides zerotier-cli
++ optional (builtins.elem zfs config.environment.systemPackages) zfs # Provides zfs, zpool
;

serviceConfig = {
Environment = "PATH=/run/wrappers/bin:/bin:/sbin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin";
ExecStart = ''
${flake.packages.x86_64-linux.kolide-launcher}/bin/launcher \
--hostname ${cfg.kolideHostname} \
Expand Down