2024-04-07 22:14:00 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
2024-04-09 20:38:40 +00:00
|
|
|
let
|
|
|
|
cfg = config.services.ghidra-server;
|
2024-04-09 20:51:29 +00:00
|
|
|
adminCli = pkgs.callPackage ./cli.nix {
|
2024-04-09 20:38:40 +00:00
|
|
|
inherit (cfg) package jdkPackage directory;
|
|
|
|
};
|
|
|
|
in {
|
2024-04-07 22:14:00 +00:00
|
|
|
options.services.ghidra-server = {
|
|
|
|
enable = mkEnableOption "ghidra-server";
|
2024-10-22 06:38:49 +00:00
|
|
|
enableAdminCli = mkEnableOption "ghidra-svrAdmin" // { default = true; };
|
2024-04-10 16:29:18 +00:00
|
|
|
package = mkPackageOption pkgs "ghidra_headless" { };
|
2024-10-22 06:38:49 +00:00
|
|
|
jdkPackage = mkPackageOption pkgs "openjdk21_headless" { };
|
2024-04-07 22:14:00 +00:00
|
|
|
host = mkOption {
|
|
|
|
default = null;
|
|
|
|
defaultText = literalExpression "null";
|
|
|
|
example = literalExpression "\"myserver.lol\"";
|
|
|
|
description = "Ghidra server hostname or IP.";
|
|
|
|
type = types.str;
|
|
|
|
};
|
|
|
|
basePort = mkOption {
|
|
|
|
default = 13100;
|
2024-04-15 23:34:36 +00:00
|
|
|
description = "Ghidra server base port - the server will use 3 consecutive TCP ports starting from the provided port number.";
|
2024-04-07 22:14:00 +00:00
|
|
|
type = types.port;
|
|
|
|
};
|
|
|
|
directory = mkOption {
|
2024-04-23 19:22:28 +00:00
|
|
|
default = "ghidra-server";
|
|
|
|
description = ''
|
|
|
|
Directory for Ghidra server data, under `/var/lib` (for systemd `StateDirectory`)
|
|
|
|
'';
|
2024-04-07 22:14:00 +00:00
|
|
|
type = types.str;
|
|
|
|
};
|
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "ghidra";
|
2024-04-15 23:34:36 +00:00
|
|
|
description = "User account under which ghidra server runs.";
|
2024-04-07 22:14:00 +00:00
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "ghidra";
|
2024-04-15 23:34:36 +00:00
|
|
|
description = "Group account under which ghidra server runs.";
|
2024-04-07 22:14:00 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
users.users."${cfg.user}" = {
|
|
|
|
isSystemUser = true;
|
2024-04-23 19:30:21 +00:00
|
|
|
home = "/var/lib/${cfg.directory}";
|
2024-04-15 22:08:20 +00:00
|
|
|
inherit (cfg) group;
|
2024-04-07 22:14:00 +00:00
|
|
|
packages = [ cfg.package cfg.jdkPackage ];
|
|
|
|
};
|
|
|
|
|
|
|
|
users.groups."${cfg.group}" = {};
|
|
|
|
|
|
|
|
systemd.services."ghidra-server" =
|
|
|
|
let
|
|
|
|
ghidra_log4j_config = ./custom.log4j.xml;
|
|
|
|
ghidra_java_opt = "-Dlog4j.configurationFile=${ghidra_log4j_config} -Djava.net.preferIPv4Stack=true -Djava.io.tmpdir=/tmp -Djna.tmpdir=/tmp -Dghidra.tls.server.protocols=TLSv1.2;TLSv1.3 -Ddb.buffers.DataBuffer.compressedOutput=true -Xms396m -Xmx768m";
|
|
|
|
ghidra_home = "${cfg.package}/lib/ghidra";
|
|
|
|
ghidra_classpath = with builtins; let
|
|
|
|
input = lib.readFile "${ghidra_home}/Ghidra/Features/GhidraServer/data/classpath.frag";
|
|
|
|
inputSplit = split "[^\n]*ghidra_home.([^\n]*)\n" input;
|
|
|
|
paths = map head (filter isList inputSplit);
|
|
|
|
in ghidra_home + (concatStringsSep (":" + ghidra_home) paths);
|
|
|
|
ghidra_mainclass = "ghidra.server.remote.GhidraServer";
|
2024-04-23 19:30:21 +00:00
|
|
|
ghidra_args = "-a0 -u -p${toString cfg.basePort} -ip ${cfg.host} /var/lib/${cfg.directory}/repositories";
|
2024-04-07 22:14:00 +00:00
|
|
|
in {
|
|
|
|
description = "Ghidra server";
|
|
|
|
after = ["network.target"];
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${cfg.jdkPackage}/bin/java ${ghidra_java_opt} -classpath ${ghidra_classpath} ${ghidra_mainclass} ${ghidra_args}";
|
2024-04-23 19:30:21 +00:00
|
|
|
WorkingDirectory = "/var/lib/${cfg.directory}";
|
2024-04-07 22:14:00 +00:00
|
|
|
Environment = "GHIDRA_HOME=${ghidra_home}";
|
|
|
|
User = cfg.user;
|
|
|
|
Group = cfg.group;
|
|
|
|
SuccessExitStatus = 143;
|
|
|
|
|
2024-04-09 20:12:49 +00:00
|
|
|
# use StateDirectory to create home dir and additional needed dirs with overridden
|
|
|
|
# permissions when the unit starts
|
|
|
|
# this is needed because we'd like the group (ghidra) to have write access to the
|
|
|
|
# directories here, particularly ~admin
|
|
|
|
StateDirectory = "${cfg.directory} ${cfg.directory}/repositories ${cfg.directory}/repositories/~admin";
|
|
|
|
StateDirectoryMode = "0770";
|
|
|
|
|
2024-04-07 22:14:00 +00:00
|
|
|
PrivateTmp = true;
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
};
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
};
|
2024-04-09 20:38:40 +00:00
|
|
|
environment.systemPackages = optionals cfg.enableAdminCli [ adminCli ];
|
2024-04-07 22:14:00 +00:00
|
|
|
};
|
|
|
|
}
|