diff options
| author | Robin Gloster <mail@glob.in> | 2016-02-06 20:32:39 +0100 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2016-02-06 20:32:39 +0100 |
| commit | f7aa92177355dc94d7e554cb6b089eb81cb320fa (patch) | |
| tree | 5c545f283a302b8801aa014fdf8ea70487c09a49 /nixos/modules | |
| parent | 415e1db505405ae4584d986f53e127dd0eb8b836 (diff) | |
| parent | de2d609317b813096e00d00ab93da836f07947a5 (diff) | |
| download | nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar.gz nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar.bz2 nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar.lz nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar.xz nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.tar.zst nixlib-f7aa92177355dc94d7e554cb6b089eb81cb320fa.zip | |
Merge pull request #12560 from tvestelind/haka
Haka: new package
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/security/haka.nix | 156 |
2 files changed, 157 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0780c1f4e423..f0b90d3d8c80 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -395,6 +395,7 @@ ./services/security/fprintd.nix ./services/security/fprot.nix ./services/security/frandom.nix + ./services/security/haka.nix ./services/security/haveged.nix ./services/security/hologram.nix ./services/security/munge.nix diff --git a/nixos/modules/services/security/haka.nix b/nixos/modules/services/security/haka.nix new file mode 100644 index 000000000000..4f2bdd29cc49 --- /dev/null +++ b/nixos/modules/services/security/haka.nix @@ -0,0 +1,156 @@ +# This module defines global configuration for Haka. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.haka; + + haka = cfg.package; + + hakaConf = pkgs.writeText "haka.conf" + '' + [general] + configuration = ${if lib.strings.hasPrefix "/" cfg.configFile + then "${cfg.configFile}" + else "${haka}/share/haka/sample/${cfg.configFile}"} + ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} + + [packet] + ${optionalString cfg.pcap ''module = "packet/pcap"''} + ${optionalString cfg.nfqueue ''module = "packet/nqueue"''} + ${optionalString cfg.dump.enable ''dump = "yes"''} + ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} + ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} + + interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}" + + [log] + # Select the log module + module = "log/syslog" + + # Set the default logging level + #level = "info,packet=debug" + + [alert] + # Select the alert module + module = "alert/syslog" + + # Disable alert on standard output + #alert_on_stdout = no + + # alert/file module option + #file = "/dev/null" + ''; + +in + +{ + + ###### interface + + options = { + + services.haka = { + + enable = mkEnableOption "Haka"; + + package = mkOption { + default = pkgs.haka; + type = types.package; + description = " + Which Haka derivation to use. + "; + }; + + configFile = mkOption { + default = "empty.lua"; + example = "/srv/haka/myfilter.lua"; + type = types.string; + description = '' + Specify which configuration file Haka uses. + It can be absolute path or a path relative to the sample directory of + the haka git repo. + ''; + }; + + interfaces = mkOption { + default = [ "eth0" ]; + example = [ "any" ]; + type = with types; listOf string; + description = '' + Specify which interface(s) Haka listens to. + Use 'any' to listen to all interfaces. + ''; + }; + + threads = mkOption { + default = 0; + example = 4; + type = types.int; + description = '' + The number of threads that will be used. + All system threads are used by default. + ''; + }; + + pcap = mkOption { + default = true; + example = false; + type = types.bool; + description = "Whether to enable pcap"; + }; + + nfqueue = mkEnableOption "nfqueue"; + + dump.enable = mkEnableOption "dump"; + dump.input = mkOption { + default = "/tmp/input.pcap"; + example = "/path/to/file.pcap"; + type = types.path; + description = "Path to file where incoming packets are dumped"; + }; + + dump.output = mkOption { + default = "/tmp/output.pcap"; + example = "/path/to/file.pcap"; + type = types.path; + description = "Path to file where outgoing packets are dumped"; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = cfg.pcap != cfg.nfqueue; + message = "either pcap or nfqueue can be enabled, not both."; + } + { assertion = cfg.nfqueue -> !dump.enable; + message = "dump can only be used with nfqueue."; + } + { assertion = cfg.interfaces != []; + message = "at least one interface must be specified."; + }]; + + + environment.systemPackages = [ haka ]; + + systemd.services.haka = { + description = "Haka"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${haka}/bin/haka -c ${hakaConf}"; + ExecStop = "${haka}/bin/hakactl stop"; + User = "root"; + Type = "forking"; + }; + }; + }; +} |