diff options
author | Karel Kočí <cynerd@email.cz> | 2022-04-09 10:17:34 +0200 |
---|---|---|
committer | Karel Kočí <cynerd@email.cz> | 2022-04-09 10:17:34 +0200 |
commit | bd9812fab0daea5f0911047a70494dc25089ac79 (patch) | |
tree | a96d9955b6aee8c5dcc435c551a5c2c724dd945e | |
download | nixsentinel-master.tar.gz nixsentinel-master.tar.bz2 nixsentinel-master.zip |
This was taken from nixturris.
24 files changed, 761 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fcfc4a1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result* diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..1b0c435 --- /dev/null +++ b/flake.lock @@ -0,0 +1,40 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1648297722, + "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1648219316, + "narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..ff75348 --- /dev/null +++ b/flake.nix @@ -0,0 +1,30 @@ +{ + description = "Turris Sentinel flake"; + + outputs = { self, flake-utils, nixpkgs }: { + + overlays.default = final: prev: import ./pkgs { nixpkgs = prev; }; + overlay = self.overlays.default; # Backward compatibility + + nixosModules = import ./nixos; + nixosModule = { + imports = builtins.attrValues self.nixosModules; + nixpkgs.overlays = [ self.overlay ]; + }; + + } // flake-utils.lib.eachSystem (flake-utils.lib.defaultSystems ++ ["armv7l-linux"]) ( + system: { + packages = flake-utils.lib.filterPackages system (flake-utils.lib.flattenTree ( + import ./pkgs { nixpkgs = nixpkgs.legacyPackages."${system}"; } + )); + + # The legacyPackages imported as overlay allows us to use pkgsCross to + # cross-compile those packages. + legacyPackages = import nixpkgs { + inherit system; + overlays = [ self.overlay ]; + crossOverlays = [ self.overlay ]; + }; + } + ); +} diff --git a/nixos/default.nix b/nixos/default.nix new file mode 100644 index 0000000..b95e12a --- /dev/null +++ b/nixos/default.nix @@ -0,0 +1,5 @@ +{ + sentinel = import ./modules/sentinel.nix; + sentinel-fwlogs = import ./modules/sentinel-fwlogs.nix; + sentinel-minipot = import ./modules/sentinel-minipot.nix; +} diff --git a/nixos/modules/sentinel-faillogs.nix b/nixos/modules/sentinel-faillogs.nix new file mode 100644 index 0000000..93ade14 --- /dev/null +++ b/nixos/modules/sentinel-faillogs.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + imports = [ ./sentinel.nix ]; + + + options = { + services.sentinel.faillogs = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Fail logs collector. + The services.sentinel.enable has to be enabled as well. + ''; + }; + }; + }; + + + config = mkIf config.services.sentinel.enable && config.services.sentinel.faillogs.enable { + environment.systemPackages = [ pkgs.sentinel-faillogs ]; + + systemd.services.sentinel-faillogs = { + description = "Turris Sentinel Fail Logs"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sentinel-faillogs ]; + serviceConfig.ExecStart = "${pkgs.sentinel-faillogs}/bin/sentinel-faillogs"; + }; + + }; + +} diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix new file mode 100644 index 0000000..d2bc864 --- /dev/null +++ b/nixos/modules/sentinel-fwlogs.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + imports = [ ./sentinel.nix ]; + + + options = { + services.sentinel.fwlogs = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Firewall logs collector. + The services.sentinel.enable has to be enabled as well. + ''; + }; + nflog-group = mkOption { + type = types.port; + default = 1914; + description = "Netfilter log group used to pass logs to sentinel-fwlogs."; + }; + }; + }; + + + config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable { + environment.systemPackages = [ pkgs.sentinel-fwlogs ]; + + systemd.services.sentinel-fwlogs = { + description = "Turris Sentinel Firewall Logs"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sentinel-fwlogs ]; + serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs"; + }; + + }; + +} diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix new file mode 100644 index 0000000..8dcf370 --- /dev/null +++ b/nixos/modules/sentinel-minipot.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cnf = config.sentinel.minipot; + inherit (pkgs) sentinel-minipot; + + minipotOpts = { name, port }: { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel ${name} Minipot. + The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well. + ''; + }; + port = mkOption { + type = types.port; + default = port; + description = "The port ${name} minipot should bind to."; + }; + }; + +in { + + imports = [ ./sentinel.nix ]; + + options = { + services.sentinel.minipot = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Minipot system. + The services.sentinel.enable has to be enabled as well. + ''; + }; + + http = minipotOpts { name = "HTTP"; port = 8033; }; + ftp = minipotOpts { name = "FTP"; port = 2133; }; + smtp = minipotOpts { name = "SMTP"; port = 5873; }; + telnet = minipotOpts { name = "Telnet"; port = 2333; }; + }; + }; + + + config = mkIf (config.services.sentinel.enable && cnf.enable) { + assertions = [ + { + assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable; + message = "Sentinel minipot requires at least one of the protocols to be enabled"; + } + ]; + + environment.systemPackages = [ sentinel-minipot ]; + + systemd.services.sentinel-minipot = { + description = "Turris Sentinel Minipot"; + wantedBy = [ "multi-user.target" ]; + path = [ sentinel-minipot ]; + serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot" + + optionalString cnf.http.enable " --http=${cnf.http.port}" + + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}" + + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}" + + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}"; + }; + + }; + +} diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix new file mode 100644 index 0000000..19ef746 --- /dev/null +++ b/nixos/modules/sentinel.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cnf = config.sentinel; + +in { + + options = { + + services.sentinel = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the Turris Sentinel attact prevention system. + ''; + }; + deviceToken = mkOption { + type = types.str; + description = '' + Turris Sentinel token. You can use `sentinel-device-token -c` to get new one. + ''; + }; + sentinelCA = mkOption { + type = types.path; + default = ../sentinel-ca.pem; + description = '' + The CA certificate used with Sentinel. + Most of the times you do not want to modify this as it uses the + certificate shipped with NixOS modules. + ''; + }; + + }; + + }; + + + config = mkIf config.services.sentinel.enable { + environment.systemPackages = with pkgs; [ + sentinel-proxy sentinel-certgen + ]; + + # TODO we should probably rather pass token using configuration file + systemd.services.sentinel-proxy = { + description = "Turris Sentinel proxy"; + wantedBy = [ "multi-user.target" ]; + path = [ sentinel-proxy ]; + serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy" + + "--ca=${cnf.sentinelCA}" + + " --token=${cnf.deviceToken}"; + }; + + }; + +} diff --git a/nixos/sentinel-ca.pem b/nixos/sentinel-ca.pem new file mode 100644 index 0000000..8c1f6a5 --- /dev/null +++ b/nixos/sentinel-ca.pem @@ -0,0 +1,61 @@ +################################################################ +(Development) Sentinel CA + +-----BEGIN CERTIFICATE----- +MIIGsDCCBJigAwIBAgIJAM3oziL/qM4GMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD +VQQGEwJDWjELMAkGA1UECBMCQ1oxDzANBgNVBAcTBlByYWd1ZTEPMA0GA1UEChMG +Q1ouTklDMQ8wDQYDVQQLEwZUdXJyaXMxFDASBgNVBAMTC1NlbnRpbmVsIENBMREw +DwYDVQQpEwhTZW50aW5lbDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AdHVycmlzLmN6 +MB4XDTE4MDEyNjA4MzMzOVoXDTI4MDEyNDA4MzMzOVowgZYxCzAJBgNVBAYTAkNa +MQswCQYDVQQIEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMQ8wDQYDVQQKEwZDWi5OSUMx +DzANBgNVBAsTBlR1cnJpczEUMBIGA1UEAxMLU2VudGluZWwgQ0ExETAPBgNVBCkT +CFNlbnRpbmVsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkB0dXJyaXMuY3owggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAwpqRmGRX8qg4lJNJNzXWwj1nVMTm +vc2W5vjpfwr93YoSqOz4rKlO7fQs3Zbe4LleXwAZncV5lAU1EkOD24Tjb5nKeGjM +JDvkKL0QGCuSUC1VYdbaqlhZRDNkdB6GiR/MJTHx/op1RcKqi/muc4ywbjFdf1yp +OJ6pOoifRqEuQkumWXT3dHdE5HuSHdxFLqL4Xre7fa0fs0YXb487VWIgJq/ASQrR +Zcj1z3oMJaQYrEnHL64NcdKUer0hzExhOdUk9/SWTtDMUWiFeDV/Kh45a781lUd8 +zI/TkG14mkOuc72y0dyoi9gOjtiJHSaKkVle47rEk+VhNA/3TsBLcQ2pA335iK96 +aFdeos3wQQaKouADye/9HsHofK2AE8aRkHPC4dK2mufqOhw36v74jAbRm3xsosDn +TpADgVOroOV3JtNJROGCoDqOWNSnjv3Nw46acOVt7JS8Ry/7ubXAEtDYv0CPyK0z +M7/9ztfN+ub2/fsbjJixwWcoEijDnmU1wq5zEeP64XxT49R56/ChMT0xhKXmnnlw +ijV/EGX35xNPGRd3Wi9Z9F+zJePccVNOtobq6CQ00EuHKkFytqMNMqfe7+XxkZug +h70eTGwSYd3iLiKsbsE/2+Eynv9Jqj7rEbzlvRYEImZjHlvSuXRDyYd7mMzbQzek +F+APPvY9YlmEGQIDAQABo4H+MIH7MB0GA1UdDgQWBBS75bhWkQWeTeGGlxwRcO4d +uRywjTCBywYDVR0jBIHDMIHAgBS75bhWkQWeTeGGlxwRcO4duRywjaGBnKSBmTCB +ljELMAkGA1UEBhMCQ1oxCzAJBgNVBAgTAkNaMQ8wDQYDVQQHEwZQcmFndWUxDzAN +BgNVBAoTBkNaLk5JQzEPMA0GA1UECxMGVHVycmlzMRQwEgYDVQQDEwtTZW50aW5l +bCBDQTERMA8GA1UEKRMIU2VudGluZWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHR1 +cnJpcy5jeoIJAM3oziL/qM4GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggIBAIGfkxSiYMO54JUqJmRPJeFml1qs++YQP0j4bhEToOP85j7ZoxIGfFYdakr7 +RXJ5JmVceNw+MQ7JLWL0ydBvKaEYpUXVyqMYMeICxIZcB8jrgAwATxMzv5Ku5EXx ++7ee/aswCtkc5WO9c8BNLuqewCwHhplTBMSpR7BJ7zfCQnk3o1BBeXY41TcDj6/C +oY5rDv0Zput9m9f5w0+/ukUm6O2TnUh6L622Jv8EQlEeeP1xvKLKeNQOzjEYlguI +fXqqVXsjxToRRjY6XfOWbuxZDkEp5TXDqIqLIo2PhS4b/phXJw/S0v//oRh1YOKo +VEu4vBpTL2pKYFdaPGGLRR0ajXUKJagkQPyy+3I4TWvqE2c1LIkpJF/PlRuets3u +LxldSbBHLV380ubGa288ywDXI65PE4jdjaa/V1dcJ+kkgwc4BMIfFkU0LenQ8ucL +Mh6iFfeT0iXTyU7Jm9gfn+nqHoZY4i6i3g/2Byt1Dn36RAcjGXxAO2G19roCux9d +S42NowRqdbAVOFKjkQ2Ojk4i5FsqVkX+Ykf5jEfD/LnGZSKcHNjRIKU60Lc0r2+H +EzKOPyTHDcUioPfuXGcl112WfqU+/HWt4nW0QEpNKCNpZ6Opsl0alpESWOBSBN6j ++SZimokYV8q+L9XhyY6Y7Q7d9Szdm269J6FrPqih15AvpnTf +-----END CERTIFICATE----- + +################################################################ +Sentinel Root CA X1 + +-----BEGIN CERTIFICATE----- +MIICbjCCAfWgAwIBAgIUJyxjDM9S/kHOqDp2PHlTOKUwuyQwCgYIKoZIzj0EAwMw +aDELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklD +LCB6LnMucC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBS +b290IENBIFgxMB4XDTIxMDMyOTIzNTE0N1oXDTM2MDMyNTIzNTE0N1owaDELMAkG +A1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklDLCB6LnMu +cC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBSb290IENB +IFgxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3RsNCfNMwh+pFZ0QFa8wCtounDkg +gKFkI0D8yzgIEQ5iWDb3d4wP3vKB+tvjTmlXewsXYVbfLQ16PMZ6ouHfdRqUr9RE +EYgDzAOETTVn9JLb/8IUOQlp5SpEjGM1Lkzjo2AwXjAdBgNVHQ4EFgQUYCW+fE/0 +HW/+NzFRNbPPAQe7PC4wHwYDVR0jBBgwFoAUYCW+fE/0HW/+NzFRNbPPAQe7PC4w +DwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIw +WhbBJ/awrC15hG6t1oU0zlbMigRbD2d8ERGQw8vvC1eNkoT1DJVoBfEfVo/C/kyq +AjA01kbjwaFIIYNB9TwpHCw5jPAbplVq+MxorfwVjQX0yfXSZL/EJ6Krgs6E6tFw +onY= +-----END CERTIFICATE----- diff --git a/pkgs/build-support/bootstrap.sh b/pkgs/build-support/bootstrap.sh new file mode 100644 index 0000000..a1202cb --- /dev/null +++ b/pkgs/build-support/bootstrap.sh @@ -0,0 +1,5 @@ +preConfigurePhases="${preConfigurePhases:-} bootstrapPhase" + +bootstrapPhase() { + ./bootstrap +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..81360e6 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,45 @@ +{ nixpkgs ? <nixpkgs>, nixlib ? nixpkgs.lib }: + +let + pkgs = nixpkgs // sentinelPkgs; + callPackage = nixlib.callPackageWith pkgs; + + sentinelPkgs = with pkgs; { + + bootstrapHook = callPackage ( + { makeSetupHook, autoconf, autoconf-archive, automake, gettext, libtool }: + makeSetupHook + { deps = [ autoconf autoconf-archive automake gettext libtool ]; } + ./build-support/bootstrap.sh + ) { }; + + ## Libraries ## + logc = callPackage ./libraries/logc { }; + logc-0_1 = logc.overrideAttrs (oldAttrs: rec { + version = "0.1.0"; + src = fetchgit { + url = "https://gitlab.nic.cz/turris/logc.git"; + rev = "v" + version; + sha256 = "1swjzs2249wvnqx2zvxwd7d1z22kd3512xxfvq002cvgbq78ka9a"; + }; + patches = []; + }); + logc-libs = callPackage ./libraries/logc-libs { }; + base64c = callPackage ./libraries/base64c { }; + paho-mqtt-c = callPackage ./libraries/paho-mqtt-c { }; + + ## Sentinel applications ## + sentinel-certgen = python3Packages.callPackage ./sentinel/certgen { }; + #sentinel-dynfw-client = python3Packages.callPackage ./sentinel/dynfw-client { }; + sentinel-proxy = callPackage ./sentinel/proxy { }; + sentinel-minipot = callPackage ./sentinel/minipot { }; + sentinel-fwlogs = callPackage ./sentinel/fwlogs { }; + sentinel-faillogs = callPackage ./sentinel/faillogs { }; + turris-crypto-wrapper = callPackage ./turris/crypto-wrapper { }; + + ## Turris routers specific tools ## + libatsha204 = callPackage ./turris/libatsha204 { }; + + }; + +in sentinelPkgs diff --git a/pkgs/libraries/base64c/default.nix b/pkgs/libraries/base64c/default.nix new file mode 100644 index 0000000..9cb6def --- /dev/null +++ b/pkgs/libraries/base64c/default.nix @@ -0,0 +1,27 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config +, check +}: + +stdenv.mkDerivation rec { + pname = "base64c"; + version = "0.2.1"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/base64c"; + description = "Base64 encoding/decoding library for C"; + license = licenses.mit; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/base64c.git"; + rev = "v" + version; + sha256 = "09qgx2qcni6cmk9mwiis843wgp3f85mh2c3sm0w37ib0bcxdvq7x"; + }; + + nativeBuildInputs = [bootstrapHook pkg-config]; + depsBuildBuild = [check]; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch b/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch new file mode 100644 index 0000000..349bf91 --- /dev/null +++ b/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch @@ -0,0 +1,31 @@ +From ecd66fc7d0079093fc56c16233c1fb2e88879df3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz> +Date: Thu, 24 Feb 2022 17:52:59 +0100 +Subject: [PATCH] tests/cmzq: try to fix test failure + +The errno seems to be possibly set by logc_czmq_init and thus we have to +reset errno after that. +--- + tests/czmq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/czmq.c b/tests/czmq.c +index b6244d1..f25ab07 100644 +--- a/tests/czmq.c ++++ b/tests/czmq.c +@@ -10,11 +10,11 @@ char *stderr_data; + size_t stderr_len; + + void f_setup() { +- errno = 0; + orig_stderr = stderr; + stderr = open_memstream(&stderr_data, &stderr_len); + logc_czmq_init(); + log_set_level(log_czmq, LL_DEBUG); ++ errno = 0; + } + void f_teardown() { + ck_assert_int_eq(errno, 0); +-- +2.35.1 + diff --git a/pkgs/libraries/logc-libs/default.nix b/pkgs/libraries/logc-libs/default.nix new file mode 100644 index 0000000..f8e4a57 --- /dev/null +++ b/pkgs/libraries/logc-libs/default.nix @@ -0,0 +1,29 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config +, logc, czmq, libevent +, check +}: + +stdenv.mkDerivation rec { + pname = "logc-libs"; + version = "0.1.0"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/logc-libs"; + description = "Logging for C"; + license = licenses.mit; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/logc-libs.git"; + rev = "v" + version; + sha256 = "11b89742k81wbb0mc4r13l2sviz720qgl06v4wnjwlmi9x4pzy1a"; + }; + + buildInputs = [logc czmq libevent]; + nativeBuildInputs = [bootstrapHook pkg-config]; + depsBuildBuild = [check]; + + doCheck = false; # TODO the test fails due to errno being set by czmq for some reason + doInstallCheck = false; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch b/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch new file mode 100644 index 0000000..3c0fafe --- /dev/null +++ b/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch @@ -0,0 +1,28 @@ +From 7105fb9859f4d3264dbaaee5dc7596c561dc3e1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz> +Date: Tue, 4 Jan 2022 18:38:38 +0100 +Subject: [PATCH] configure.ac: fix cross compilation + +The AC_CHECK_FILE is not supported when cross compiling. We can just use +plain AS_IF with test for the same effect. +--- + CHANGELOG.md | 1 + + configure.ac | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 5946a53..b6d42ea 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -18,7 +18,7 @@ PKG_INSTALLDIR + AX_CHECK_COMPILE_FLAG([-std=c11], , AC_MSG_ERROR([Compiler with C11 standard support is required])) + AX_APPEND_FLAG([-std=c11]) + +-AC_CHECK_FILE([${0%/*}/bootstrap],[ ++AS_IF([test -x "${0%/*}/bootstrap" ],[ + AC_PATH_PROG([GPERF], [gperf]) + AS_IF([test -z "$GPERF"], [AC_MSG_ERROR([Missing gperf generator])]) + ]) +-- +2.35.1 + diff --git a/pkgs/libraries/logc/default.nix b/pkgs/libraries/logc/default.nix new file mode 100644 index 0000000..6ffd8f4 --- /dev/null +++ b/pkgs/libraries/logc/default.nix @@ -0,0 +1,32 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config, gperf +, libconfig +, check +}: + +stdenv.mkDerivation rec { + pname = "logc"; + version = "0.4.0"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/logc"; + description = "Logging for C"; + license = licenses.mit; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/logc.git"; + rev = "v" + version; + sha256 = "15nplgjgg6dxryy4yzbj4524y77ci0syi970rmbr955m9vxvhrib"; + }; + patches = [ + ./0001-configure.ac-fix-cross-compilation.patch + ]; + + buildInputs = [libconfig]; + nativeBuildInputs = [bootstrapHook pkg-config gperf]; + depsBuildBuild = [check]; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/libraries/paho-mqtt-c/default.nix b/pkgs/libraries/paho-mqtt-c/default.nix new file mode 100644 index 0000000..545af96 --- /dev/null +++ b/pkgs/libraries/paho-mqtt-c/default.nix @@ -0,0 +1,24 @@ +{ stdenv, lib, fetchurl +, cmake +, openssl +}: + +stdenv.mkDerivation rec { + pname = "paho-mqtt-c"; + version = "1.3.9"; + meta = with lib; { + homepage = "https://eclipse.org/paho"; + description = "An Eclipse Paho C client library for MQTT"; + license = licenses.epl20; + }; + + src = fetchurl { + url = "https://github.com/eclipse/paho.mqtt.c/archive/refs/tags/v" + version + ".tar.gz"; + sha256 = "1v9m4mx47bhahzda5sf5zp80shbaizymfbdidm8hsvfgl5grnv1q"; + }; + + buildInputs = [openssl]; + nativeBuildInputs = [cmake]; + + cmakeFlags = ["-DPAHO_WITH_SSL=TRUE" "-DPAHO_HIGH_PERFORMANCE=TRUE"]; +} diff --git a/pkgs/sentinel/certgen/default.nix b/pkgs/sentinel/certgen/default.nix new file mode 100644 index 0000000..3818b9b --- /dev/null +++ b/pkgs/sentinel/certgen/default.nix @@ -0,0 +1,25 @@ +{ buildPythonApplication, lib, fetchgit +, python3 +, crypto-wrapper +}: + +buildPythonApplication rec { + pname = "sentinel-certgen"; + version = "6.2"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/certgen"; + description = "Sentinel automated passwords and certificates retrieval"; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/certgen.git"; + rev = "v" + version; + sha256 = "10ii3j3wqdib7m2fc0w599981mv9q3ahj96q4kyrn5sh18v2c7nb"; + }; + + propagatedBuildInputs = with python3.pkgs; [ + crypto-wrapper + six requests cryptography + ]; +} diff --git a/pkgs/sentinel/dynfw-client/default.nix b/pkgs/sentinel/dynfw-client/default.nix new file mode 100644 index 0000000..b059b6d --- /dev/null +++ b/pkgs/sentinel/dynfw-client/default.nix @@ -0,0 +1,26 @@ +{ buildPythonApplication, lib, fetchgit +, ipset +}: + +buildPythonApplication rec { + pname = "sentinel-dynfw-client"; + version = "1.4.0"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/dynfw-client"; + description = "Dynamic firewall client"; + platforms = platforms.linux; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/dynfw-client.git"; + rev = "v" + version; + sha256 = "1g0wbhsjzifvdfvig6922cl3yfj1f96yvg11s4vgiaxca9yspcmp"; + }; + + buildInputs = [ipset]; + preConfigure = '' + ls + find -type f | xargs sed -i 's#/usr/sbin/ipset#${ipset}#g' + ''; +} diff --git a/pkgs/sentinel/faillogs/default.nix b/pkgs/sentinel/faillogs/default.nix new file mode 100644 index 0000000..4b3a2d3 --- /dev/null +++ b/pkgs/sentinel/faillogs/default.nix @@ -0,0 +1,29 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config, gperf +, logc, logc-libs, libevent, czmq, msgpack, libconfig +, check +}: + +stdenv.mkDerivation rec { + pname = "sentinel-faillogs"; + version = "0.1.0"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/faillogs"; + description = "Failed login attempt logs collector"; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/faillogs.git"; + rev = "99ec41baed19cc1ca70490b2b8cd81784e7748d2"; + sha256 = "1pp93z78qwg7arca5z70gdp5ja2jldk1rzig8r29a2fhjakd0hb2"; + }; + + buildInputs = [logc logc-libs libevent czmq msgpack libconfig]; + nativeBuildInputs = [bootstrapHook pkg-config gperf]; + depsBuildBuild = [check]; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/sentinel/fwlogs/default.nix b/pkgs/sentinel/fwlogs/default.nix new file mode 100644 index 0000000..6c9d529 --- /dev/null +++ b/pkgs/sentinel/fwlogs/default.nix @@ -0,0 +1,30 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config +, czmq, msgpack, logc-0_1, logc-libs, libconfig, libnetfilter_log +, check +}: + +stdenv.mkDerivation rec { + pname = "sentinel-proxy"; + version = "0.2.0"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/fwlogs"; + description = "Firewall logs collector"; + platforms = platforms.linux; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/fwlogs.git"; + rev = "v" + version; + sha256 = "04rlm3mlri2wz33z6jh2yh0p81lnrfpfmmfjrn4sfjwh1g21ins7"; + }; + + buildInputs = [czmq msgpack logc-0_1 logc-libs libconfig libnetfilter_log]; + nativeBuildInputs = [bootstrapHook pkg-config]; + depsBuildBuild = [check]; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/sentinel/minipot/default.nix b/pkgs/sentinel/minipot/default.nix new file mode 100644 index 0000000..1f26074 --- /dev/null +++ b/pkgs/sentinel/minipot/default.nix @@ -0,0 +1,29 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config, gperf +, czmq, msgpack, libevent, base64c, logc-0_1, logc-libs +, check +}: + +stdenv.mkDerivation rec { + pname = "sentinel-minipot"; + version = "2.2"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/minipot"; + description = "Firewall logs collector"; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/minipot.git"; + rev = "v" + version; + sha256 = "05p2q9mj8bhjapfphlrs45l691dmkpiia6ir1nnpa1pa5jy045p9"; + }; + + buildInputs = [czmq msgpack libevent base64c logc-0_1 logc-libs]; + nativeBuildInputs = [bootstrapHook pkg-config gperf]; + depsBuildBuild = [check]; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/sentinel/proxy/default.nix b/pkgs/sentinel/proxy/default.nix new file mode 100644 index 0000000..a3b6bf2 --- /dev/null +++ b/pkgs/sentinel/proxy/default.nix @@ -0,0 +1,31 @@ +{ stdenv, lib, fetchgit +, bootstrapHook, pkg-config, gperf +, openssl, zlib, czmq, libconfig, msgpack, paho-mqtt-c +, check +}: + +stdenv.mkDerivation rec { + pname = "sentinel-proxy"; + version = "1.4"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/sentinel/proxy"; + description = "Main MQTT Sentinel client. Proxy that lives on the router and relays messages received from ZMQ to uplink server over MQTT channel."; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/sentinel/proxy.git"; + rev = "v" + version; + sha256 = "11s538yf4ydlzlx1vs9fc6hh9igf40s3v853mlcki8a28bni6xwb"; + }; + + buildInputs = [openssl zlib czmq libconfig msgpack paho-mqtt-c]; + nativeBuildInputs = [bootstrapHook pkg-config gperf]; + depsBuildBuild = [check]; + + preConfigure = "./bootstrap"; + + doCheck = true; + doInstallCheck = true; + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} diff --git a/pkgs/turris/crypto-wrapper/default.nix b/pkgs/turris/crypto-wrapper/default.nix new file mode 100644 index 0000000..aa65b17 --- /dev/null +++ b/pkgs/turris/crypto-wrapper/default.nix @@ -0,0 +1,24 @@ +{ stdenv, lib, fetchgit +}: + +stdenv.mkDerivation rec { + pname = "turris-crypto-wrapper"; + version = "0.4"; + meta = with lib; { + homepage = "https://gitlab.nic.cz/turris/crypto-wrapper"; + description = ""; + license = licenses.gpl3; + }; + + src = fetchgit { + url = "https://gitlab.nic.cz/turris/crypto-wrapper.git"; + rev = "v" + version; + sha256 = "1ly37cajkmgqmlj230h5az9m2m1rgvf4r0bf94yipp80wl0z215s"; + }; + + buildInputs = [czmq msgpack libevent base64c logc-0_1 logc-libs]; + nativeBuildInputs = [bootstrapHook pkg-config gperf]; + depsBuildBuild = [check]; + + configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests"; +} |