From 46c2ec11463b06d13c1e83f0c838a46c841ad239 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 18 Nov 2024 16:27:52 +0100
Subject: [PATCH 1/5] nixos/arp-scan: init

(cherry picked from commit 28291813168bbcad28f5f695c84b9d3ae470c69d)
---
 nixos/modules/module-list.nix       |  1 +
 nixos/modules/programs/arp-scan.nix | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 nixos/modules/programs/arp-scan.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 4977b6a73ec6..1e06ed2e9277 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -148,6 +148,7 @@
   ./programs/alvr.nix
   ./programs/appgate-sdp.nix
   ./programs/appimage.nix
+  ./programs/arp-scan.nix
   ./programs/atop.nix
   ./programs/ausweisapp.nix
   ./programs/autojump.nix
diff --git a/nixos/modules/programs/arp-scan.nix b/nixos/modules/programs/arp-scan.nix
new file mode 100644
index 000000000000..09775670b973
--- /dev/null
+++ b/nixos/modules/programs/arp-scan.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.programs.arp-scan;
+in {
+  options = {
+    programs.arp-scan = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to configure a setcap wrapper for arp-scan.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers.arp-scan = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_raw+p";
+      source = lib.getExe pkgs.arp-scan;
+    };
+  };
+}

From f95adbe186d2c2df2ca50d93cf23411d925a781c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 18 Nov 2024 16:28:05 +0100
Subject: [PATCH 2/5] nixos/tcpdump: init

(cherry picked from commit eb42ef0c24564082056a5ae54cdf52902bda58fd)
---
 nixos/modules/module-list.nix      |  1 +
 nixos/modules/programs/tcpdump.nix | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 nixos/modules/programs/tcpdump.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 1e06ed2e9277..497ac96eec00 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -296,6 +296,7 @@
   ./programs/sysdig.nix
   ./programs/system-config-printer.nix
   ./programs/systemtap.nix
+  ./programs/tcpdump.nix
   ./programs/thefuck.nix
   ./programs/thunar.nix
   ./programs/thunderbird.nix
diff --git a/nixos/modules/programs/tcpdump.nix b/nixos/modules/programs/tcpdump.nix
new file mode 100644
index 000000000000..428ac9e741d6
--- /dev/null
+++ b/nixos/modules/programs/tcpdump.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.programs.tcpdump;
+in {
+  options = {
+    programs.tcpdump = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          Whether to configure a setcap wrapper for tcpdump.
+          To use it, add your user to the `pcap` group.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.wrappers.tcpdump = {
+      owner = "root";
+      group = "pcap";
+      capabilities = "cap_net_raw+p";
+      permissions = "u+rx,g+x";
+      source = lib.getExe pkgs.tcpdump;
+    };
+
+    users.groups.pcap = { };
+  };
+}

From 75ea3ad5b09f3027a9c866dca5b77d1251383ba0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 18 Nov 2024 16:28:30 +0100
Subject: [PATCH 3/5] nixos/iftop: improve description, use lib.getExe

(cherry picked from commit 4fae28967bbc2c04a48066891c01bfb1c798fc98)
---
 nixos/modules/programs/iftop.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix
index d6e56c8fded6..8118fb232c6e 100644
--- a/nixos/modules/programs/iftop.nix
+++ b/nixos/modules/programs/iftop.nix
@@ -4,7 +4,7 @@ let
   cfg = config.programs.iftop;
 in {
   options = {
-    programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper";
+    programs.iftop.enable = lib.mkEnableOption "iftop and setcap wrapper for it";
   };
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.iftop ];
@@ -12,7 +12,7 @@ in {
       owner = "root";
       group = "root";
       capabilities = "cap_net_raw+p";
-      source = "${pkgs.iftop}/bin/iftop";
+      source = lib.getExe pkgs.iftop;
     };
   };
 }

From 670f76a1e6a7ff220b779ba87edf495464e2660c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 18 Nov 2024 16:28:45 +0100
Subject: [PATCH 4/5] nixos/traceroute: use lib.getExe

(cherry picked from commit a6ee554a67d563c96134fd7b3797552c72113b68)
---
 nixos/modules/programs/traceroute.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/programs/traceroute.nix b/nixos/modules/programs/traceroute.nix
index 0864dbe79db6..7a010058eba9 100644
--- a/nixos/modules/programs/traceroute.nix
+++ b/nixos/modules/programs/traceroute.nix
@@ -20,7 +20,7 @@ in {
       owner = "root";
       group = "root";
       capabilities = "cap_net_raw+p";
-      source = "${pkgs.traceroute}/bin/traceroute";
+      source = lib.getExe pkgs.traceroute;
     };
   };
 }

From 89b1270199a8bc320ceda77ab6ad292097605be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 18 Nov 2024 16:34:47 +0100
Subject: [PATCH 5/5] nixos/{arp-scan,iftop,tcpdump,traceroute}: format

(cherry picked from commit b4d622fd7acd3842ad6dc9b0580cc8299c98bf8c)
---
 nixos/modules/programs/arp-scan.nix   | 10 ++++++++--
 nixos/modules/programs/iftop.nix      | 10 ++++++++--
 nixos/modules/programs/tcpdump.nix    | 10 ++++++++--
 nixos/modules/programs/traceroute.nix | 10 ++++++++--
 4 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/nixos/modules/programs/arp-scan.nix b/nixos/modules/programs/arp-scan.nix
index 09775670b973..3580148f637a 100644
--- a/nixos/modules/programs/arp-scan.nix
+++ b/nixos/modules/programs/arp-scan.nix
@@ -1,8 +1,14 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.programs.arp-scan;
-in {
+in
+{
   options = {
     programs.arp-scan = {
       enable = lib.mkOption {
diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix
index 8118fb232c6e..dee64502e7f7 100644
--- a/nixos/modules/programs/iftop.nix
+++ b/nixos/modules/programs/iftop.nix
@@ -1,8 +1,14 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   cfg = config.programs.iftop;
-in {
+in
+{
   options = {
     programs.iftop.enable = lib.mkEnableOption "iftop and setcap wrapper for it";
   };
diff --git a/nixos/modules/programs/tcpdump.nix b/nixos/modules/programs/tcpdump.nix
index 428ac9e741d6..396a9ce9c9d6 100644
--- a/nixos/modules/programs/tcpdump.nix
+++ b/nixos/modules/programs/tcpdump.nix
@@ -1,8 +1,14 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.programs.tcpdump;
-in {
+in
+{
   options = {
     programs.tcpdump = {
       enable = lib.mkOption {
diff --git a/nixos/modules/programs/traceroute.nix b/nixos/modules/programs/traceroute.nix
index 7a010058eba9..0b2a78aff6db 100644
--- a/nixos/modules/programs/traceroute.nix
+++ b/nixos/modules/programs/traceroute.nix
@@ -1,8 +1,14 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.programs.traceroute;
-in {
+in
+{
   options = {
     programs.traceroute = {
       enable = lib.mkOption {