From a892be1018d90e97ccf92e53ede864f900f9b1ac Mon Sep 17 00:00:00 2001
From: Tomas Vestelind <tomas.vestelind@gmail.com>
Date: Sat, 9 Jan 2016 01:04:41 +0100
Subject: haka: building binaries

---
 pkgs/tools/security/haka/default.nix | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 pkgs/tools/security/haka/default.nix

(limited to 'pkgs/tools/security')

diff --git a/pkgs/tools/security/haka/default.nix b/pkgs/tools/security/haka/default.nix
new file mode 100644
index 000000000000..95d40c72f191
--- /dev/null
+++ b/pkgs/tools/security/haka/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, fetchurl, cmake, swig, wireshark, check, rsync, libpcap, gawk, libedit, pcre }:
+
+let version = "0.3.0"; in
+
+stdenv.mkDerivation rec {
+  name = "haka-${version}";
+
+  src = fetchurl {
+    name = "haka_${version}_source.tar.gz";
+    url = "https://github.com/haka-security/haka/releases/download/v${version}";
+
+    # https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt
+    sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2";
+  };
+
+  preConfigure = ''
+    sed -i 's,/etc,'$out'/etc,' src/haka/haka.c
+    sed -i 's,/etc,'$out'/etc,' src/haka/CMakeLists.txt
+    sed -i 's,/opt/haka/etc,$out/opt/haka/etc,' src/haka/haka.1
+    sed -i 's,/etc,'$out'/etc,' doc/user/tool_suite_haka.rst
+  '';
+
+  buildInputs = [ cmake swig wireshark check rsync libpcap gawk libedit pcre ];
+
+  enableParallelBuilding = true;
+
+  meta = {
+    dscription = "A collection of tools that allows capturing TCP/IP packets and filtering them based on Lua policy files";
+    homepage = http://www.haka-security.org/;
+    license = stdenv.lib.licenses.mpl20;
+    maintaineres = [ stdenv.lib.maintainers.tvestelind ];
+    platforms = stdenv.lib.platforms.linux;
+  };
+}
-- 
cgit 1.4.1


From 11d475af2994f26d9daf5a682402726d367c21e7 Mon Sep 17 00:00:00 2001
From: Tomas Vestelind <tomas.vestelind@gmail.com>
Date: Mon, 18 Jan 2016 05:54:19 +0100
Subject: haka: options for nixos

---
 nixos/modules/module-list.nix            |   1 +
 nixos/modules/services/security/haka.nix | 156 +++++++++++++++++++++++++++++++
 pkgs/tools/security/haka/default.nix     |   2 +-
 3 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 nixos/modules/services/security/haka.nix

(limited to 'pkgs/tools/security')

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 2ff61877c23d..dcce04b0a28b 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -395,6 +395,7 @@
   ./services/security/fprintd.nix
   ./services/security/fprot.nix
   ./services/security/frandom.nix
+  ./services/security/haka.nix
   ./services/security/haveged.nix
   ./services/security/hologram.nix
   ./services/security/munge.nix
diff --git a/nixos/modules/services/security/haka.nix b/nixos/modules/services/security/haka.nix
new file mode 100644
index 000000000000..4f2bdd29cc49
--- /dev/null
+++ b/nixos/modules/services/security/haka.nix
@@ -0,0 +1,156 @@
+# This module defines global configuration for Haka.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.haka;
+
+  haka = cfg.package;
+
+  hakaConf = pkgs.writeText "haka.conf"
+  ''
+    [general]
+    configuration = ${if lib.strings.hasPrefix "/" cfg.configFile
+      then "${cfg.configFile}"
+      else "${haka}/share/haka/sample/${cfg.configFile}"}
+    ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}
+
+    [packet]
+    ${optionalString cfg.pcap ''module = "packet/pcap"''}
+    ${optionalString cfg.nfqueue ''module = "packet/nqueue"''}
+    ${optionalString cfg.dump.enable ''dump = "yes"''}
+    ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}
+    ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}
+
+    interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"
+
+    [log]
+    # Select the log module
+    module = "log/syslog"
+
+    # Set the default logging level
+    #level = "info,packet=debug"
+
+    [alert]
+    # Select the alert module
+    module = "alert/syslog"
+
+    # Disable alert on standard output
+    #alert_on_stdout = no
+
+    # alert/file module option
+    #file = "/dev/null"
+  '';
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.haka = {
+
+      enable = mkEnableOption "Haka";
+
+      package = mkOption {
+        default = pkgs.haka;
+        type = types.package;
+        description = "
+          Which Haka derivation to use.
+        ";
+      };
+
+      configFile = mkOption {
+        default = "empty.lua";
+        example = "/srv/haka/myfilter.lua";
+        type = types.string;
+        description = ''
+          Specify which configuration file Haka uses.
+          It can be absolute path or a path relative to the sample directory of
+          the haka git repo.
+        '';
+      };
+
+      interfaces = mkOption {
+        default = [ "eth0" ];
+        example = [ "any" ];
+        type = with types; listOf string;
+        description = ''
+          Specify which interface(s) Haka listens to.
+          Use 'any' to listen to all interfaces.
+        '';
+      };
+
+      threads = mkOption {
+        default = 0;
+        example = 4;
+        type = types.int;
+        description = ''
+          The number of threads that will be used.
+          All system threads are used by default.
+        '';
+      };
+
+      pcap = mkOption {
+        default = true;
+        example = false;
+        type = types.bool;
+        description = "Whether to enable pcap";
+      };
+
+      nfqueue = mkEnableOption "nfqueue";
+
+      dump.enable = mkEnableOption "dump";
+      dump.input  = mkOption {
+        default = "/tmp/input.pcap";
+        example = "/path/to/file.pcap";
+        type = types.path;
+        description = "Path to file where incoming packets are dumped";
+      };
+
+      dump.output  = mkOption {
+        default = "/tmp/output.pcap";
+        example = "/path/to/file.pcap";
+        type = types.path;
+        description = "Path to file where outgoing packets are dumped";
+      };
+    };
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    assertions = [
+      { assertion = cfg.pcap != cfg.nfqueue;
+        message = "either pcap or nfqueue can be enabled, not both.";
+      }
+      { assertion = cfg.nfqueue -> !dump.enable;
+        message = "dump can only be used with nfqueue.";
+      }
+      { assertion = cfg.interfaces != [];
+        message = "at least one interface must be specified.";
+      }];
+
+
+    environment.systemPackages = [ haka ];
+
+    systemd.services.haka = {
+      description = "Haka";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        ExecStart = "${haka}/bin/haka -c ${hakaConf}";
+        ExecStop = "${haka}/bin/hakactl stop";
+        User = "root";
+        Type = "forking";
+      };
+    };
+  };
+}
diff --git a/pkgs/tools/security/haka/default.nix b/pkgs/tools/security/haka/default.nix
index 95d40c72f191..d040aaa6aea8 100644
--- a/pkgs/tools/security/haka/default.nix
+++ b/pkgs/tools/security/haka/default.nix
@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     name = "haka_${version}_source.tar.gz";
-    url = "https://github.com/haka-security/haka/releases/download/v${version}";
+    url = "https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz";
 
     # https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt
     sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2";
-- 
cgit 1.4.1