diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix | 236 |
1 files changed, 113 insertions, 123 deletions
diff --git a/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix b/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix index ec71365ba3c1..b0858184b5fc 100644 --- a/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix +++ b/nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix @@ -3,7 +3,19 @@ let cfg = config.services.parsedmarc; opt = options.services.parsedmarc; - ini = pkgs.formats.ini {}; + isSecret = v: isAttrs v && v ? _secret && isString v._secret; + ini = pkgs.formats.ini { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" rec { + mkValueString = v: + if isInt v then toString v + else if isString v then v + else if true == v then "True" + else if false == v then "False" + else if isSecret v then hashString "sha256" v._secret + else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; + }; + }; + inherit (builtins) elem isAttrs isString isInt isList typeOf hashString; in { options.services.parsedmarc = { @@ -17,18 +29,18 @@ in enable = lib.mkOption { type = lib.types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether Postfix and Dovecot should be set up to receive mail locally. parsedmarc will be configured to watch the local inbox as the automatically created user specified in - <xref linkend="opt-services.parsedmarc.provision.localMail.recipientName" /> + [](#opt-services.parsedmarc.provision.localMail.recipientName) ''; }; recipientName = lib.mkOption { type = lib.types.str; default = "dmarc"; - description = '' + description = lib.mdDoc '' The DMARC mail recipient name, i.e. the name part of the email address which receives DMARC reports. @@ -42,7 +54,7 @@ in default = config.networking.fqdn; defaultText = lib.literalExpression "config.networking.fqdn"; example = "monitoring.example.com"; - description = '' + description = lib.mdDoc '' The hostname to use when configuring Postfix. Should correspond to the host's fully qualified domain @@ -56,15 +68,13 @@ in geoIp = lib.mkOption { type = lib.types.bool; default = true; - description = '' - Whether to enable and configure the <link - linkend="opt-services.geoipupdate.enable">geoipupdate</link> + description = lib.mdDoc '' + Whether to enable and configure the [geoipupdate](#opt-services.geoipupdate.enable) service to automatically fetch GeoIP databases. Not crucial, but recommended for full functionality. - To finish the setup, you need to manually set the <xref - linkend="opt-services.geoipupdate.settings.AccountID" /> and - <xref linkend="opt-services.geoipupdate.settings.LicenseKey" /> + To finish the setup, you need to manually set the [](#opt-services.geoipupdate.settings.AccountID) and + [](#opt-services.geoipupdate.settings.LicenseKey) options. ''; }; @@ -72,7 +82,7 @@ in elasticsearch = lib.mkOption { type = lib.types.bool; default = true; - description = '' + description = lib.mdDoc '' Whether to set up and use a local instance of Elasticsearch. ''; }; @@ -85,11 +95,11 @@ in config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} ''; apply = x: x && cfg.provision.elasticsearch; - description = '' + description = lib.mdDoc '' Whether the automatically provisioned Elasticsearch instance should be added as a grafana datasource. Has no effect unless - <xref linkend="opt-services.parsedmarc.provision.elasticsearch" /> + [](#opt-services.parsedmarc.provision.elasticsearch) is also enabled. ''; }; @@ -98,7 +108,7 @@ in type = lib.types.bool; default = config.services.grafana.enable; defaultText = lib.literalExpression "config.services.grafana.enable"; - description = '' + description = lib.mdDoc '' Whether the official parsedmarc grafana dashboard should be provisioned to the local grafana instance. ''; @@ -107,11 +117,35 @@ in }; settings = lib.mkOption { - description = '' + example = lib.literalExpression '' + { + imap = { + host = "imap.example.com"; + user = "alice@example.com"; + password = { _secret = "/run/keys/imap_password" }; + watch = true; + }; + splunk_hec = { + url = "https://splunkhec.example.com"; + token = { _secret = "/run/keys/splunk_token" }; + index = "email"; + }; + } + ''; + description = lib.mdDoc '' Configuration parameters to set in - <filename>parsedmarc.ini</filename>. For a full list of + {file}`parsedmarc.ini`. For a full list of available parameters, see - <link xlink:href="https://domainaware.github.io/parsedmarc/#configuration-file" />. + <https://domainaware.github.io/parsedmarc/#configuration-file>. + + Settings containing secret data should be set to an attribute + set containing the attribute `_secret` - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting {file}`parsedmarc.ini` + file, the `splunk_hec.token` key will be set + to the contents of the + {file}`/run/keys/splunk_token` file. ''; type = lib.types.submodule { @@ -122,7 +156,7 @@ in save_aggregate = lib.mkOption { type = lib.types.bool; default = true; - description = '' + description = lib.mdDoc '' Save aggregate report data to Elasticsearch and/or Splunk. ''; }; @@ -130,7 +164,7 @@ in save_forensic = lib.mkOption { type = lib.types.bool; default = true; - description = '' + description = lib.mdDoc '' Save forensic report data to Elasticsearch and/or Splunk. ''; }; @@ -140,7 +174,7 @@ in host = lib.mkOption { type = lib.types.str; default = "localhost"; - description = '' + description = lib.mdDoc '' The IMAP server hostname or IP address. ''; }; @@ -148,7 +182,7 @@ in port = lib.mkOption { type = lib.types.port; default = 993; - description = '' + description = lib.mdDoc '' The IMAP server port. ''; }; @@ -156,7 +190,7 @@ in ssl = lib.mkOption { type = lib.types.bool; default = true; - description = '' + description = lib.mdDoc '' Use an encrypted SSL/TLS connection. ''; }; @@ -164,23 +198,29 @@ in user = lib.mkOption { type = with lib.types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' The IMAP server username. ''; }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; - description = '' - The path to a file containing the IMAP server password. + description = lib.mdDoc '' + The IMAP server password. + + Always handled as a secret whether the value is + wrapped in a `{ _secret = ...; }` + attrset or not (refer to [](#opt-services.parsedmarc.settings) for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; watch = lib.mkOption { type = lib.types.bool; default = true; - description = '' + description = lib.mdDoc '' Use the IMAP IDLE command to process messages as they arrive. ''; }; @@ -188,7 +228,7 @@ in delete = lib.mkOption { type = lib.types.bool; default = false; - description = '' + description = lib.mdDoc '' Delete messages after processing them, instead of archiving them. ''; }; @@ -198,7 +238,7 @@ in host = lib.mkOption { type = with lib.types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' The SMTP server hostname or IP address. ''; }; @@ -206,7 +246,7 @@ in port = lib.mkOption { type = with lib.types; nullOr port; default = null; - description = '' + description = lib.mdDoc '' The SMTP server port. ''; }; @@ -214,7 +254,7 @@ in ssl = lib.mkOption { type = with lib.types; nullOr bool; default = null; - description = '' + description = lib.mdDoc '' Use an encrypted SSL/TLS connection. ''; }; @@ -222,24 +262,30 @@ in user = lib.mkOption { type = with lib.types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' The SMTP server username. ''; }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; - description = '' - The path to a file containing the SMTP server password. + description = lib.mdDoc '' + The SMTP server password. + + Always handled as a secret whether the value is + wrapped in a `{ _secret = ...; }` + attrset or not (refer to [](#opt-services.parsedmarc.settings) for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; from = lib.mkOption { type = with lib.types; nullOr str; default = null; - description = '' - The <literal>From</literal> address to use for the + description = lib.mdDoc '' + The `From` address to use for the outgoing mail. ''; }; @@ -247,7 +293,7 @@ in to = lib.mkOption { type = with lib.types; nullOr (listOf str); default = null; - description = '' + description = lib.mdDoc '' The addresses to send outgoing mail to. ''; }; @@ -258,7 +304,7 @@ in default = []; type = with lib.types; listOf str; apply = x: if x == [] then null else lib.concatStringsSep "," x; - description = '' + description = lib.mdDoc '' A list of Elasticsearch hosts to push parsed reports to. ''; @@ -267,25 +313,31 @@ in user = lib.mkOption { type = with lib.types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' Username to use when connecting to Elasticsearch, if required. ''; }; password = lib.mkOption { - type = with lib.types; nullOr path; + type = with lib.types; nullOr (either path (attrsOf path)); default = null; - description = '' - The path to a file containing the password to use when - connecting to Elasticsearch, if required. + description = lib.mdDoc '' + The password to use when connecting to Elasticsearch, + if required. + + Always handled as a secret whether the value is + wrapped in a `{ _secret = ...; }` + attrset or not (refer to [](#opt-services.parsedmarc.settings) for + details). ''; + apply = x: if isAttrs x || x == null then x else { _secret = x; }; }; ssl = lib.mkOption { type = lib.types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to use an encrypted SSL/TLS connection. ''; }; @@ -293,69 +345,12 @@ in cert_path = lib.mkOption { type = lib.types.path; default = "/etc/ssl/certs/ca-certificates.crt"; - description = '' + description = lib.mdDoc '' The path to a TLS certificate bundle used to verify the server's certificate. ''; }; }; - - kafka = { - hosts = lib.mkOption { - default = []; - type = with lib.types; listOf str; - apply = x: if x == [] then null else lib.concatStringsSep "," x; - description = '' - A list of Apache Kafka hosts to publish parsed reports - to. - ''; - }; - - user = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - description = '' - Username to use when connecting to Kafka, if - required. - ''; - }; - - password = lib.mkOption { - type = with lib.types; nullOr path; - default = null; - description = '' - The path to a file containing the password to use when - connecting to Kafka, if required. - ''; - }; - - ssl = lib.mkOption { - type = with lib.types; nullOr bool; - default = null; - description = '' - Whether to use an encrypted SSL/TLS connection. - ''; - }; - - aggregate_topic = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "aggregate"; - description = '' - The Kafka topic to publish aggregate reports on. - ''; - }; - - forensic_topic = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "forensic"; - description = '' - The Kafka topic to publish forensic reports on. - ''; - }; - }; - }; }; @@ -404,21 +399,14 @@ in enable = cfg.provision.grafana.datasource || cfg.provision.grafana.dashboard; datasources = let - pkgVer = lib.getVersion config.services.elasticsearch.package; - esVersion = - if lib.versionOlder pkgVer "7" then - "60" - else if lib.versionOlder pkgVer "8" then - "70" - else - throw "When provisioning parsedmarc grafana datasources: unknown Elasticsearch version."; + esVersion = lib.getVersion config.services.elasticsearch.package; in lib.mkIf cfg.provision.grafana.datasource [ { name = "dmarc-ag"; type = "elasticsearch"; access = "proxy"; - url = "localhost:9200"; + url = "http://localhost:9200"; jsonData = { timeField = "date_range"; inherit esVersion; @@ -428,7 +416,7 @@ in name = "dmarc-fo"; type = "elasticsearch"; access = "proxy"; - url = "localhost:9200"; + url = "http://localhost:9200"; jsonData = { timeField = "date_range"; inherit esVersion; @@ -467,12 +455,17 @@ in # lists, empty attrsets and null. This makes it possible to # list interesting options in `settings` without them always # ending up in the resulting config. - filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! builtins.elem v [ null [] {} ])) cfg.settings; + filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null [] {} ])) cfg.settings; + + # Extract secrets (attributes set to an attrset with a + # "_secret" key) from the settings and generate the commands + # to run to perform the secret replacements. + secretPaths = lib.catAttrs "_secret" (lib.collect isSecret filteredConfig); parsedmarcConfig = ini.generate "parsedmarc.ini" filteredConfig; - mkSecretReplacement = file: - lib.optionalString (file != null) '' - replace-secret '${file}' '${file}' /run/parsedmarc/parsedmarc.ini - ''; + mkSecretReplacement = file: '' + replace-secret ${lib.escapeShellArgs [ (hashString "sha256" file) file "/run/parsedmarc/parsedmarc.ini" ]} + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; in { wantedBy = [ "multi-user.target" ]; @@ -487,10 +480,7 @@ in umask u=rwx,g=,o= cp ${parsedmarcConfig} /run/parsedmarc/parsedmarc.ini chown parsedmarc:parsedmarc /run/parsedmarc/parsedmarc.ini - ${mkSecretReplacement cfg.settings.smtp.password} - ${mkSecretReplacement cfg.settings.imap.password} - ${mkSecretReplacement cfg.settings.elasticsearch.password} - ${mkSecretReplacement cfg.settings.kafka.password} + ${secretReplacements} '' + lib.optionalString cfg.provision.localMail.enable '' openssl rand -hex 64 >/run/parsedmarc/dmarc_user_passwd replace-secret '@imap-password@' '/run/parsedmarc/dmarc_user_passwd' /run/parsedmarc/parsedmarc.ini |