# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  config,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib)
    mkIf
    mkMerge
    mkOption
    ;

  inherit (lib.types)
    enum
    ;

  cfg = config.dgn-audit;
in
{
  options.dgn-audit = {
    audit-level = mkOption {
      type = enum [
        "disabled"
        "normal"
        "high"
      ];
      default = "normal";
      description = ''
        Level of auditing configuration.
      '';
    };
  };
  config = mkIf (cfg.audit-level != "disabled") {
    security.audit = mkMerge [
      {
        backlogLimit = 8192;
        rules = [
          # toute les modifs de /etc
          "-a exit,always -F arch=b64 -F dir=/etc -F perm=wa"
          "-a exit,always -F arch=b32 -F dir=/etc -F perm=wa"

          # toute les executions des binaires de kmod
          "-a exit,always -F dir=${pkgs.kmod} -F perm=x"

          # tout les mount/umount (on ignore systemd-executor qui en fait mass pour les credentials)
          "-a exit,always -F exe!=${pkgs.systemd}/lib/systemd/systemd-executor -S mount,umount2"

          # monitor des syscalls "louche", ou qui devrait rester rare
          "-a exit,always -S ioperm,modify_ldt,get_kernel_syms,ptrace"
          "-a exit,always -F arch=b64 -S init_module,delete_module,finit_module"
          # TODO: filter on operation for prctl, else it's too hard on logging
          # look PR_PAC_RESET_KEYS PR_SET_VMA PR_SET_PTRACER
          # "-a exit,always -S prctl"
        ];
      }
      (mkIf (cfg.audit-level == "high") {
        enable = "lock";
        failureMode = "panic";
        rules = [
          # tout les execve
          "-a exit,always -F arch=b64 -S execve,execveat"
          "-a exit,always -F arch=b32 -S execve,execveat"

          # tout les unlink, renomage de truc ou suppression de dossier
          "-a exit,always -F arch=b64 -S unlink,rmdir,rename"
          # toute les creation/ouverture/troncature de fichier qui ont raté faute de droit
          "-a exit,always -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES"
        ];
      })
      (mkIf (cfg.audit-level == "normal") {
        enable = true;
        rules = [
          # les execve priviligé
          "-a exit,always -F arch=b64 -F uid=0 -S execve,execveat"
          "-a exit,always -F arch=b32 -F uid=0 -S execve,execveat"
          "-a exit,always -F arch=b64 -F euid=0 -S execve,execveat"
          "-a exit,always -F arch=b32 -F euid=0 -S execve,execveat"
        ];
      })
    ];
    services.journald.audit = true;
  };
}