From 8f3e6fdd8cb68af56d40e646be3077e319769a4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Thu, 16 Feb 2017 21:53:09 +0100
Subject: [PATCH] nixos: add programs.wireshark option

To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
---
 nixos/modules/misc/ids.nix           |  2 +
 nixos/modules/module-list.nix        |  1 +
 nixos/modules/programs/wireshark.nix | 57 ++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 nixos/modules/programs/wireshark.nix

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index d51b29b99da..a3845737410 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -288,6 +288,7 @@
       kresd = 270;
       rpc = 271;
       geoip = 272;
+      #wireshark = 273; # unused
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -545,6 +546,7 @@
       kresd = 270;
       #rpc = 271; # unused
       #geoip = 272; # unused
+      wireshark = 273;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 81597d91d89..e60f93d52d9 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -91,6 +91,7 @@
   ./programs/tmux.nix
   ./programs/venus.nix
   ./programs/vim.nix
+  ./programs/wireshark.nix
   ./programs/wvdial.nix
   ./programs/xfs_quota.nix
   ./programs/xonsh.nix
diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix
new file mode 100644
index 00000000000..aaaf678d362
--- /dev/null
+++ b/nixos/modules/programs/wireshark.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.programs.wireshark;
+  wireshark = cfg.package;
+
+in
+
+{
+
+  options = {
+
+    programs.wireshark = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to add Wireshark to the global environment and configure a
+          setuid wrapper for 'dumpcap' for users in the 'wireshark' group.
+        '';
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.wireshark-cli;
+        defaultText = "pkgs.wireshark-cli";
+        description = ''
+          Which Wireshark package to install in the global environment.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ wireshark ];
+    
+    security.wrappers.dumpcap = {
+      source = "${wireshark}/bin/dumpcap";
+      owner = "root";
+      group = "wireshark";
+      setuid = true;
+      setgid = false;
+      permissions = "u+rx,g+x";
+    };
+
+    users.extraGroups.wireshark.gid = config.ids.gids.wireshark;
+
+  };
+
+}