From e7a63eede37fa81dc2360c7ef633939e53c999a7 Mon Sep 17 00:00:00 2001 From: octodi Date: Sat, 3 Feb 2024 00:25:33 +0530 Subject: [PATCH 1/8] nixos/nist-feed: init module Update nixos/modules/programs/nist-feed.nix --- .../manual/release-notes/rl-2405.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/programs/nist-feed.nix | 54 +++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 nixos/modules/programs/nist-feed.nix diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 9dfeb6c8fe76d..758d74f65071c 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -65,6 +65,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). +- [NIST-Feed](https://github.com/d3vil0p3r/nist-feed), notifies you about the newest published CVEs from NIST. Available as [programs.nist-feed](#opt-programs.nist-feed.enable). + - [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. - [systemd-lock-handler](https://git.sr.ht/~whynothugo/systemd-lock-handler/), a bridge between logind D-Bus events and systemd targets. Available as [services.systemd-lock-handler.enable](#opt-services.systemd-lock-handler.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 71498e397cb65..594ef88426214 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -222,6 +222,7 @@ ./programs/neovim.nix ./programs/nethoscope.nix ./programs/nexttrace.nix + ./programs/nist-feed.nix ./programs/nix-index.nix ./programs/nix-ld.nix ./programs/nm-applet.nix diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix new file mode 100644 index 0000000000000..3b2265bd3eb63 --- /dev/null +++ b/nixos/modules/programs/nist-feed.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.nist-feed; +in +{ + options = { + programs.nist-feed = { + enable = mkEnableOption (mdDoc "NIST Feed, which notifies you about the newest published CVEs"); + package = mkPackageOption pkgs "nist-feed" { }; + extraArgs = mkOption { + type = types.str; + default = "-l -s CRITICAL"; + description = mdDoc '' + Arguments to provide to NIST-Feed, see a full list at https://github.com/D3vil0p3r/NIST-Feed/blob/main/README.md#nist-feed + ''; + }; + + onCalendar = mkOption { + type = types.str; + default = "*:0/30"; + description = mdDoc '' + How often NIST-Feed executes. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + systemd.user.services.nist-feed = { + wantedBy = [ "default.target" ]; + description = "A notification daemon for CVEs"; + path = [ pkgs.curl pkgs.busybox ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${cfg.package}/bin/nist-feed ${cfg.extraArgs}"; + }; + }; + + systemd.user.timers.nist-feed = { + wantedBy = [ "default.target" ]; + timerConfig = { + Unit = "nist-feed.service"; + OnCalendar = cfg.onCalendar; + Persistent = "true"; + }; + }; + }; + + meta.maintainers = with maintainers; [octodi]; +} From 2881fc236c21170488d4703fa5d50fe0a047c3cf Mon Sep 17 00:00:00 2001 From: octodi Date: Sat, 3 Feb 2024 01:24:17 +0530 Subject: [PATCH 2/8] nist-feed: init at 0-unstable-2024-01-20 --- pkgs/by-name/ni/nist-feed/cron.patch | 56 +++++++++++++++++++++++++++ pkgs/by-name/ni/nist-feed/package.nix | 50 ++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 pkgs/by-name/ni/nist-feed/cron.patch create mode 100644 pkgs/by-name/ni/nist-feed/package.nix diff --git a/pkgs/by-name/ni/nist-feed/cron.patch b/pkgs/by-name/ni/nist-feed/cron.patch new file mode 100644 index 0000000000000..740878c13f792 --- /dev/null +++ b/pkgs/by-name/ni/nist-feed/cron.patch @@ -0,0 +1,56 @@ +--- a/nist-feed 2024-01-28 19:03:44.721621784 +0530 ++++ b/nist-feed 2024-01-29 18:58:25.981732803 +0530 +@@ -1,7 +1,5 @@ + #!/bin/sh + +-pkill -f "/usr/bin/gjs /usr/share/gnome-shell/org.gnome.Shell.Notifications" +- + ############################################################ + # Colors # + ############################################################ +@@ -67,7 +65,7 @@ + echo "-i Filter by integrity metric (NONE='I:N', LOW='I:L' or HIGH='I:H')." + echo "-l Retrieve the latest CVE according to the filters." + echo "-m Filter by the specified CVSSv3 metric codes. It is used mainly for managing all filters selected by the user when the notification popup must be created." +- echo "-n Enable desktop notification for the latest CVE according the applied filters by crontab." ++ echo "-n Notification option has been removed for nix, to enable notifications use programs.nist-feed.enable = true; " + echo "-P Filter by privileges required metric (NONE='PR:N', LOW='PR:L' or HIGH='PR:H')." + echo "-r Specify the maximum number of results that are returned based on the request parameters. The default value is 20. For network considerations, maximum allowable limit is 2,000." + echo "-S Filter by scope metric (UNCHANGED='S:U' or CHANGED='S:C')." +@@ -237,7 +235,6 @@ + + if [ "$end" ]; then + echo "Disabling NIST NVD feed popup notification..." +- crontab -l | sed '/nist-feed/d' | crontab + rm -rf $last_cve_file + rm -rf $cve_json_file + exit 0 +@@ -336,27 +333,13 @@ + fi + fi + +-if [[ "$id" != "$LAST_CVE" ]] || [ $(crontab -l | wc -c) -eq 0 ];then #if the previous CVE is different from the current one, OR the crontab is empty, popup notification ++if [[ "$id" != "$LAST_CVE" ]];then #if the previous CVE is different from the current one, OR the crontab is empty, popup notification + if [[ ! "$notify" ]]; then #LAST_CVE must be set only if the user does not set the notification parameters, otherwise when crontab will call the 1st time nist-feed, $id is already = to $LAST_CVE + echo "$id" > $last_cve_file + #Generate the popup notification + killall dunst;notify-send -u normal "$id" "$description\n\n$nvdURL" + fi + +- if [[ "$notify" -eq 1 ]] && [ ! "$severity" ] && [ ! "$metric" ]; then +- crontab -l | sed '/nist-feed/d' | crontab +- (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l)") | crontab - +- elif [[ "$notify" -eq 1 ]] && [ "$severity" ] && [ ! "$metric" ]; then +- crontab -l | sed '/nist-feed/d' | crontab +- (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -s $severity)") | crontab - +- elif [[ "$notify" -eq 1 ]] && [ ! "$severity" ] && [ "$metric" ]; then +- crontab -l | sed '/nist-feed/d' | crontab +- (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -m $metric)") | crontab - +- elif [[ "$notify" -eq 1 ]] && [ "$severity" ] && [ "$metric" ]; then +- crontab -l | sed '/nist-feed/d' | crontab +- (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -s $severity -m $metric)") | crontab - +- fi +- + fi + + rm -rf $cve_json_file diff --git a/pkgs/by-name/ni/nist-feed/package.nix b/pkgs/by-name/ni/nist-feed/package.nix new file mode 100644 index 0000000000000..545a46ce1f062 --- /dev/null +++ b/pkgs/by-name/ni/nist-feed/package.nix @@ -0,0 +1,50 @@ +{ stdenvNoCC +, lib +, fetchFromGitHub +, makeWrapper +, bash +, jq +, killall +, libnotify +, curl +, busybox +}: + +stdenvNoCC.mkDerivation { + pname = "nist-feed"; + version = "0-unstable-2024-01-20"; + + src = fetchFromGitHub { + owner = "D3vil0p3r"; + repo = "NIST-Feed"; + rev = "775bd871490b680784a1855cdc1d4958a83a7866"; + hash = "sha256-OcVf766q7vELYkGOEzQMLS6zH8Nn96ibGP+6kizHN28="; + }; + + patches = [ + ./cron.patch + ]; + + nativeBuildInputs = [ makeWrapper ]; + + postPatch = '' + substituteInPlace nist-feed \ + --replace "/usr/local/bin/nist-feed" $out/bin/nist-feed + ''; + + installPhase = '' + runHook preInstall + install -Dm555 nist-feed $out/bin/nist-feed + wrapProgram "$out/bin/nist-feed" \ + --prefix PATH : "$out/bin:${lib.makeBinPath [ jq killall libnotify curl busybox ]}" + runHook postInstall + ''; + + meta = with lib; { + description = "Notification daemon for CVEs from the NIST National Vulnerability Database"; + homepage = "https://github.com/D3vil0p3r/NIST-Feed/"; + license = licenses.gpl3Plus; + maintainers = with maintainers; [ octodi ]; + mainProgram = "nist-feed"; + }; +} From 1bf4758bb2ec010dea94a9f5b5bca7d7c317831c Mon Sep 17 00:00:00 2001 From: octodi <127038896+octodi@users.noreply.github.com> Date: Sat, 10 Feb 2024 11:23:03 +0530 Subject: [PATCH 3/8] Update nixos/modules/programs/nist-feed.nix Co-authored-by: h7x4 --- nixos/modules/programs/nist-feed.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index 3b2265bd3eb63..28de9bc9995c1 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -33,7 +33,6 @@ in systemd.user.services.nist-feed = { wantedBy = [ "default.target" ]; description = "A notification daemon for CVEs"; - path = [ pkgs.curl pkgs.busybox ]; serviceConfig = { Type = "oneshot"; ExecStart = "${cfg.package}/bin/nist-feed ${cfg.extraArgs}"; From 401d32c918382ce3f94f4f62e5c1bce3618263bc Mon Sep 17 00:00:00 2001 From: octodi <127038896+octodi@users.noreply.github.com> Date: Sat, 10 Feb 2024 11:23:17 +0530 Subject: [PATCH 4/8] Update nixos/modules/programs/nist-feed.nix Co-authored-by: h7x4 --- nixos/modules/programs/nist-feed.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index 28de9bc9995c1..e4fbf8f7012c7 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -35,7 +35,7 @@ in description = "A notification daemon for CVEs"; serviceConfig = { Type = "oneshot"; - ExecStart = "${cfg.package}/bin/nist-feed ${cfg.extraArgs}"; + ExecStart = "${cfg.package}/bin/nist-feed ${escapeShellArgs cfg.extraArgs}"; }; }; From 21e4e81528fafd6defe54dd2e7f6140390e30392 Mon Sep 17 00:00:00 2001 From: octodi <127038896+octodi@users.noreply.github.com> Date: Sat, 10 Feb 2024 11:23:31 +0530 Subject: [PATCH 5/8] Update nixos/modules/programs/nist-feed.nix Co-authored-by: h7x4 --- nixos/modules/programs/nist-feed.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index e4fbf8f7012c7..ff315db88ccc3 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -14,7 +14,8 @@ in type = types.str; default = "-l -s CRITICAL"; description = mdDoc '' - Arguments to provide to NIST-Feed, see a full list at https://github.com/D3vil0p3r/NIST-Feed/blob/main/README.md#nist-feed + Arguments to provide to NIST-Feed, see a full list at + ''; }; From 978acd8027008a1529120a9b75b15eb9dcc5b4ab Mon Sep 17 00:00:00 2001 From: octodi <127038896+octodi@users.noreply.github.com> Date: Sat, 10 Feb 2024 11:23:43 +0530 Subject: [PATCH 6/8] Update nixos/modules/programs/nist-feed.nix Co-authored-by: h7x4 --- nixos/modules/programs/nist-feed.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index ff315db88ccc3..f1a3e68c3418b 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -11,8 +11,8 @@ in enable = mkEnableOption (mdDoc "NIST Feed, which notifies you about the newest published CVEs"); package = mkPackageOption pkgs "nist-feed" { }; extraArgs = mkOption { - type = types.str; - default = "-l -s CRITICAL"; + type = with types; listOf str; + default = [ "-l" "-s" "CRITICAL" ]; description = mdDoc '' Arguments to provide to NIST-Feed, see a full list at From 01ef3c2fa21bbb6f553a36205d2dfd27c5a41d9b Mon Sep 17 00:00:00 2001 From: octodi <127038896+octodi@users.noreply.github.com> Date: Sat, 10 Feb 2024 11:23:59 +0530 Subject: [PATCH 7/8] Update nixos/modules/programs/nist-feed.nix Co-authored-by: h7x4 --- nixos/modules/programs/nist-feed.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index f1a3e68c3418b..b482a2550f570 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -24,6 +24,8 @@ in default = "*:0/30"; description = mdDoc '' How often NIST-Feed executes. + + This should be configured in the format specified in {manpage}`systemd.time(7)` ''; }; }; From cbd62b535de534c73062d36cbbd9680a28b478a5 Mon Sep 17 00:00:00 2001 From: octodi Date: Sat, 10 Feb 2024 11:31:46 +0530 Subject: [PATCH 8/8] Revert "Update nixos/modules/programs/nist-feed.nix" This reverts commit 01ef3c2fa21bbb6f553a36205d2dfd27c5a41d9b. --- nixos/modules/programs/nist-feed.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/modules/programs/nist-feed.nix b/nixos/modules/programs/nist-feed.nix index b482a2550f570..f1a3e68c3418b 100644 --- a/nixos/modules/programs/nist-feed.nix +++ b/nixos/modules/programs/nist-feed.nix @@ -24,8 +24,6 @@ in default = "*:0/30"; description = mdDoc '' How often NIST-Feed executes. - - This should be configured in the format specified in {manpage}`systemd.time(7)` ''; }; };