Skip to content

Instantly share code, notes, and snippets.

@klDen

klDen/falcon-default.nix

Forked from ravloony/falcon-default.nix
Last active June 8, 2025 17:58
Show Gist options
  • Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Download ZIP
Falcon package
Raw
falcon-default.nix
{ stdenv, lib, pkgs, dpkg,
openssl, libnl, zlib,
fetchurl, autoPatchelfHook, buildFHSUserEnv, writeScript, ... }:
let
pname = "falcon-sensor";
version = "6.31.0-12803";
arch = "amd64";
src = /opt/CrowdStrike + "/ubuntu_${pname}_${version}_${arch}.deb";
falcon-sensor = stdenv.mkDerivation {
inherit version arch src;
name = pname;
buildInputs = [ dpkg zlib autoPatchelfHook ];
sourceRoot = ".";
unpackPhase = ''
dpkg-deb -x $src .
'';
installPhase = ''
cp -r . $out
'';
meta = with lib; {
description = "Crowdstrike Falcon Sensor";
homepage = "https://www.crowdstrike.com/";
license = licenses.unfree;
platforms = platforms.linux;
maintainers = with maintainers; [ klden ];
};
};
in buildFHSUserEnv {
name = "fs-bash";
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
Raw
falcon.nix
{ pkgs, ... }:
let
falcon = pkgs.callPackage ./falcon { };
startPreScript = pkgs.writeScript "init-falcon" ''
#! ${pkgs.bash}/bin/sh
/run/current-system/sw/bin/mkdir -p /opt/CrowdStrike
ln -sf ${falcon}/opt/CrowdStrike/* /opt/CrowdStrike
${falcon}/bin/fs-bash -c "${falcon}/opt/CrowdStrike/falconctl -g --cid"
'';
in {
systemd.services.falcon-sensor = {
enable = true;
description = "CrowdStrike Falcon Sensor";
unitConfig.DefaultDependencies = false;
after = [ "local-fs.target" ];
conflicts = [ "shutdown.target" ];
before = [ "sysinit.target" "shutdown.target" ];
serviceConfig = {
ExecStartPre = "${startPreScript}";
ExecStart = "${falcon}/bin/fs-bash -c \"${falcon}/opt/CrowdStrike/falcond\"";
Type = "forking";
PIDFile = "/run/falcond.pid";
Restart = "no";
TimeoutStopSec = "60s";
KillMode = "process";
};
wantedBy = [ "multi-user.target" ];
};
}
@daniel-brenot
Copy link

This seems to work great with the latest version 7. Thank you so much!

@klDen
Copy link
Author

klDen commented Apr 5, 2024

Glad it worked well for you!

@ymgyt
Copy link

ymgyt commented Dec 28, 2024

With this setup, I was able to get falcon running. Thank you!

@skrobul
Copy link

skrobul commented Jun 8, 2025

This worked on falcon-sensor 7.17-0-17005, thanks @klDen !
I modified the src slightly so that I can keep the falcon-sensor deb in the same directory:

falcon/default.nix

{ stdenv, lib, pkgs, dpkg, openssl, libnl, zlib, fetchurl, autoPatchelfHook
, buildFHSEnv, writeScript, ... }:
let
  pname = "falcon-sensor";
  version = "7.17.0-17005";
  arch = "amd64";
  src = builtins.path { 
    path = ./${pname}_${version}_${arch}.deb;
    name = "${pname}_${version}_${arch}.deb";
  };
  falcon-sensor = stdenv.mkDerivation {
    inherit version arch src;
    name = pname;

    buildInputs = [ dpkg zlib autoPatchelfHook ];

    sourceRoot = ".";

    unpackPhase = ''
      dpkg-deb -x $src .
    '';

    installPhase = ''
      cp -r . $out    '';

    meta = with lib; {
      description = "Crowdstrike Falcon Sensor";
      homepage = "https://www.crowdstrike.com/";
      license = licenses.unfree;
      platforms = platforms.linux;
      maintainers = with maintainers; [ klden ];
    };
  };
in buildFHSEnv {
  name = "fs-bash";
  targetPkgs = pkgs: [ libnl openssl zlib ];

  extraInstallCommands = ''
    ln -s ${falcon-sensor}/* $out/
  '';

  runScript = "bash";

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment