haka: options for nixos
This commit is contained in:
parent
a892be1018
commit
11d475af29
3 changed files with 158 additions and 1 deletions
|
@ -395,6 +395,7 @@
|
||||||
./services/security/fprintd.nix
|
./services/security/fprintd.nix
|
||||||
./services/security/fprot.nix
|
./services/security/fprot.nix
|
||||||
./services/security/frandom.nix
|
./services/security/frandom.nix
|
||||||
|
./services/security/haka.nix
|
||||||
./services/security/haveged.nix
|
./services/security/haveged.nix
|
||||||
./services/security/hologram.nix
|
./services/security/hologram.nix
|
||||||
./services/security/munge.nix
|
./services/security/munge.nix
|
||||||
|
|
156
nixos/modules/services/security/haka.nix
Normal file
156
nixos/modules/services/security/haka.nix
Normal file
|
@ -0,0 +1,156 @@
|
||||||
|
# This module defines global configuration for Haka.
|
||||||
|
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
cfg = config.services.haka;
|
||||||
|
|
||||||
|
haka = cfg.package;
|
||||||
|
|
||||||
|
hakaConf = pkgs.writeText "haka.conf"
|
||||||
|
''
|
||||||
|
[general]
|
||||||
|
configuration = ${if lib.strings.hasPrefix "/" cfg.configFile
|
||||||
|
then "${cfg.configFile}"
|
||||||
|
else "${haka}/share/haka/sample/${cfg.configFile}"}
|
||||||
|
${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}
|
||||||
|
|
||||||
|
[packet]
|
||||||
|
${optionalString cfg.pcap ''module = "packet/pcap"''}
|
||||||
|
${optionalString cfg.nfqueue ''module = "packet/nqueue"''}
|
||||||
|
${optionalString cfg.dump.enable ''dump = "yes"''}
|
||||||
|
${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}
|
||||||
|
${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}
|
||||||
|
|
||||||
|
interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"
|
||||||
|
|
||||||
|
[log]
|
||||||
|
# Select the log module
|
||||||
|
module = "log/syslog"
|
||||||
|
|
||||||
|
# Set the default logging level
|
||||||
|
#level = "info,packet=debug"
|
||||||
|
|
||||||
|
[alert]
|
||||||
|
# Select the alert module
|
||||||
|
module = "alert/syslog"
|
||||||
|
|
||||||
|
# Disable alert on standard output
|
||||||
|
#alert_on_stdout = no
|
||||||
|
|
||||||
|
# alert/file module option
|
||||||
|
#file = "/dev/null"
|
||||||
|
'';
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
###### interface
|
||||||
|
|
||||||
|
options = {
|
||||||
|
|
||||||
|
services.haka = {
|
||||||
|
|
||||||
|
enable = mkEnableOption "Haka";
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
default = pkgs.haka;
|
||||||
|
type = types.package;
|
||||||
|
description = "
|
||||||
|
Which Haka derivation to use.
|
||||||
|
";
|
||||||
|
};
|
||||||
|
|
||||||
|
configFile = mkOption {
|
||||||
|
default = "empty.lua";
|
||||||
|
example = "/srv/haka/myfilter.lua";
|
||||||
|
type = types.string;
|
||||||
|
description = ''
|
||||||
|
Specify which configuration file Haka uses.
|
||||||
|
It can be absolute path or a path relative to the sample directory of
|
||||||
|
the haka git repo.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
interfaces = mkOption {
|
||||||
|
default = [ "eth0" ];
|
||||||
|
example = [ "any" ];
|
||||||
|
type = with types; listOf string;
|
||||||
|
description = ''
|
||||||
|
Specify which interface(s) Haka listens to.
|
||||||
|
Use 'any' to listen to all interfaces.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
threads = mkOption {
|
||||||
|
default = 0;
|
||||||
|
example = 4;
|
||||||
|
type = types.int;
|
||||||
|
description = ''
|
||||||
|
The number of threads that will be used.
|
||||||
|
All system threads are used by default.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
pcap = mkOption {
|
||||||
|
default = true;
|
||||||
|
example = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = "Whether to enable pcap";
|
||||||
|
};
|
||||||
|
|
||||||
|
nfqueue = mkEnableOption "nfqueue";
|
||||||
|
|
||||||
|
dump.enable = mkEnableOption "dump";
|
||||||
|
dump.input = mkOption {
|
||||||
|
default = "/tmp/input.pcap";
|
||||||
|
example = "/path/to/file.pcap";
|
||||||
|
type = types.path;
|
||||||
|
description = "Path to file where incoming packets are dumped";
|
||||||
|
};
|
||||||
|
|
||||||
|
dump.output = mkOption {
|
||||||
|
default = "/tmp/output.pcap";
|
||||||
|
example = "/path/to/file.pcap";
|
||||||
|
type = types.path;
|
||||||
|
description = "Path to file where outgoing packets are dumped";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{ assertion = cfg.pcap != cfg.nfqueue;
|
||||||
|
message = "either pcap or nfqueue can be enabled, not both.";
|
||||||
|
}
|
||||||
|
{ assertion = cfg.nfqueue -> !dump.enable;
|
||||||
|
message = "dump can only be used with nfqueue.";
|
||||||
|
}
|
||||||
|
{ assertion = cfg.interfaces != [];
|
||||||
|
message = "at least one interface must be specified.";
|
||||||
|
}];
|
||||||
|
|
||||||
|
|
||||||
|
environment.systemPackages = [ haka ];
|
||||||
|
|
||||||
|
systemd.services.haka = {
|
||||||
|
description = "Haka";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${haka}/bin/haka -c ${hakaConf}";
|
||||||
|
ExecStop = "${haka}/bin/hakactl stop";
|
||||||
|
User = "root";
|
||||||
|
Type = "forking";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
name = "haka_${version}_source.tar.gz";
|
name = "haka_${version}_source.tar.gz";
|
||||||
url = "https://github.com/haka-security/haka/releases/download/v${version}";
|
url = "https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz";
|
||||||
|
|
||||||
# https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt
|
# https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt
|
||||||
sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2";
|
sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2";
|
||||||
|
|
Loading…
Reference in a new issue