haka: options for nixos

This commit is contained in:
Tomas Vestelind 2016-01-18 05:54:19 +01:00
parent a892be1018
commit 11d475af29
3 changed files with 158 additions and 1 deletions

View file

@ -395,6 +395,7 @@
./services/security/fprintd.nix ./services/security/fprintd.nix
./services/security/fprot.nix ./services/security/fprot.nix
./services/security/frandom.nix ./services/security/frandom.nix
./services/security/haka.nix
./services/security/haveged.nix ./services/security/haveged.nix
./services/security/hologram.nix ./services/security/hologram.nix
./services/security/munge.nix ./services/security/munge.nix

View file

@ -0,0 +1,156 @@
# This module defines global configuration for Haka.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.haka;
haka = cfg.package;
hakaConf = pkgs.writeText "haka.conf"
''
[general]
configuration = ${if lib.strings.hasPrefix "/" cfg.configFile
then "${cfg.configFile}"
else "${haka}/share/haka/sample/${cfg.configFile}"}
${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}
[packet]
${optionalString cfg.pcap ''module = "packet/pcap"''}
${optionalString cfg.nfqueue ''module = "packet/nqueue"''}
${optionalString cfg.dump.enable ''dump = "yes"''}
${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}
${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}
interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"
[log]
# Select the log module
module = "log/syslog"
# Set the default logging level
#level = "info,packet=debug"
[alert]
# Select the alert module
module = "alert/syslog"
# Disable alert on standard output
#alert_on_stdout = no
# alert/file module option
#file = "/dev/null"
'';
in
{
###### interface
options = {
services.haka = {
enable = mkEnableOption "Haka";
package = mkOption {
default = pkgs.haka;
type = types.package;
description = "
Which Haka derivation to use.
";
};
configFile = mkOption {
default = "empty.lua";
example = "/srv/haka/myfilter.lua";
type = types.string;
description = ''
Specify which configuration file Haka uses.
It can be absolute path or a path relative to the sample directory of
the haka git repo.
'';
};
interfaces = mkOption {
default = [ "eth0" ];
example = [ "any" ];
type = with types; listOf string;
description = ''
Specify which interface(s) Haka listens to.
Use 'any' to listen to all interfaces.
'';
};
threads = mkOption {
default = 0;
example = 4;
type = types.int;
description = ''
The number of threads that will be used.
All system threads are used by default.
'';
};
pcap = mkOption {
default = true;
example = false;
type = types.bool;
description = "Whether to enable pcap";
};
nfqueue = mkEnableOption "nfqueue";
dump.enable = mkEnableOption "dump";
dump.input = mkOption {
default = "/tmp/input.pcap";
example = "/path/to/file.pcap";
type = types.path;
description = "Path to file where incoming packets are dumped";
};
dump.output = mkOption {
default = "/tmp/output.pcap";
example = "/path/to/file.pcap";
type = types.path;
description = "Path to file where outgoing packets are dumped";
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.pcap != cfg.nfqueue;
message = "either pcap or nfqueue can be enabled, not both.";
}
{ assertion = cfg.nfqueue -> !dump.enable;
message = "dump can only be used with nfqueue.";
}
{ assertion = cfg.interfaces != [];
message = "at least one interface must be specified.";
}];
environment.systemPackages = [ haka ];
systemd.services.haka = {
description = "Haka";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${haka}/bin/haka -c ${hakaConf}";
ExecStop = "${haka}/bin/hakactl stop";
User = "root";
Type = "forking";
};
};
};
}

View file

@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
src = fetchurl { src = fetchurl {
name = "haka_${version}_source.tar.gz"; name = "haka_${version}_source.tar.gz";
url = "https://github.com/haka-security/haka/releases/download/v${version}"; url = "https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz";
# https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt # https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt
sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2"; sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2";