summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2022-04-09 10:17:34 +0200
committerKarel Kočí <cynerd@email.cz>2022-04-09 10:17:34 +0200
commitbd9812fab0daea5f0911047a70494dc25089ac79 (patch)
treea96d9955b6aee8c5dcc435c551a5c2c724dd945e
downloadnixsentinel-bd9812fab0daea5f0911047a70494dc25089ac79.tar.gz
nixsentinel-bd9812fab0daea5f0911047a70494dc25089ac79.tar.bz2
nixsentinel-bd9812fab0daea5f0911047a70494dc25089ac79.zip
Initial versionHEADmaster
This was taken from nixturris.
-rw-r--r--.gitignore1
-rw-r--r--flake.lock40
-rw-r--r--flake.nix30
-rw-r--r--nixos/default.nix5
-rw-r--r--nixos/modules/sentinel-faillogs.nix36
-rw-r--r--nixos/modules/sentinel-fwlogs.nix41
-rw-r--r--nixos/modules/sentinel-minipot.nix72
-rw-r--r--nixos/modules/sentinel.nix60
-rw-r--r--nixos/sentinel-ca.pem61
-rw-r--r--pkgs/build-support/bootstrap.sh5
-rw-r--r--pkgs/default.nix45
-rw-r--r--pkgs/libraries/base64c/default.nix27
-rw-r--r--pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch31
-rw-r--r--pkgs/libraries/logc-libs/default.nix29
-rw-r--r--pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch28
-rw-r--r--pkgs/libraries/logc/default.nix32
-rw-r--r--pkgs/libraries/paho-mqtt-c/default.nix24
-rw-r--r--pkgs/sentinel/certgen/default.nix25
-rw-r--r--pkgs/sentinel/dynfw-client/default.nix26
-rw-r--r--pkgs/sentinel/faillogs/default.nix29
-rw-r--r--pkgs/sentinel/fwlogs/default.nix30
-rw-r--r--pkgs/sentinel/minipot/default.nix29
-rw-r--r--pkgs/sentinel/proxy/default.nix31
-rw-r--r--pkgs/turris/crypto-wrapper/default.nix24
24 files changed, 761 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..fcfc4a1
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+result*
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..1b0c435
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,40 @@
+{
+ "nodes": {
+ "flake-utils": {
+ "locked": {
+ "lastModified": 1648297722,
+ "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
+ "type": "github"
+ },
+ "original": {
+ "id": "flake-utils",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1648219316,
+ "narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "type": "indirect"
+ }
+ },
+ "root": {
+ "inputs": {
+ "flake-utils": "flake-utils",
+ "nixpkgs": "nixpkgs"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..ff75348
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,30 @@
+{
+ description = "Turris Sentinel flake";
+
+ outputs = { self, flake-utils, nixpkgs }: {
+
+ overlays.default = final: prev: import ./pkgs { nixpkgs = prev; };
+ overlay = self.overlays.default; # Backward compatibility
+
+ nixosModules = import ./nixos;
+ nixosModule = {
+ imports = builtins.attrValues self.nixosModules;
+ nixpkgs.overlays = [ self.overlay ];
+ };
+
+ } // flake-utils.lib.eachSystem (flake-utils.lib.defaultSystems ++ ["armv7l-linux"]) (
+ system: {
+ packages = flake-utils.lib.filterPackages system (flake-utils.lib.flattenTree (
+ import ./pkgs { nixpkgs = nixpkgs.legacyPackages."${system}"; }
+ ));
+
+ # The legacyPackages imported as overlay allows us to use pkgsCross to
+ # cross-compile those packages.
+ legacyPackages = import nixpkgs {
+ inherit system;
+ overlays = [ self.overlay ];
+ crossOverlays = [ self.overlay ];
+ };
+ }
+ );
+}
diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..b95e12a
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,5 @@
+{
+ sentinel = import ./modules/sentinel.nix;
+ sentinel-fwlogs = import ./modules/sentinel-fwlogs.nix;
+ sentinel-minipot = import ./modules/sentinel-minipot.nix;
+}
diff --git a/nixos/modules/sentinel-faillogs.nix b/nixos/modules/sentinel-faillogs.nix
new file mode 100644
index 0000000..93ade14
--- /dev/null
+++ b/nixos/modules/sentinel-faillogs.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+ imports = [ ./sentinel.nix ];
+
+
+ options = {
+ services.sentinel.faillogs = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Fail logs collector.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+ };
+ };
+
+
+ config = mkIf config.services.sentinel.enable && config.services.sentinel.faillogs.enable {
+ environment.systemPackages = [ pkgs.sentinel-faillogs ];
+
+ systemd.services.sentinel-faillogs = {
+ description = "Turris Sentinel Fail Logs";
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.sentinel-faillogs ];
+ serviceConfig.ExecStart = "${pkgs.sentinel-faillogs}/bin/sentinel-faillogs";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix
new file mode 100644
index 0000000..d2bc864
--- /dev/null
+++ b/nixos/modules/sentinel-fwlogs.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+ imports = [ ./sentinel.nix ];
+
+
+ options = {
+ services.sentinel.fwlogs = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Firewall logs collector.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+ nflog-group = mkOption {
+ type = types.port;
+ default = 1914;
+ description = "Netfilter log group used to pass logs to sentinel-fwlogs.";
+ };
+ };
+ };
+
+
+ config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable {
+ environment.systemPackages = [ pkgs.sentinel-fwlogs ];
+
+ systemd.services.sentinel-fwlogs = {
+ description = "Turris Sentinel Firewall Logs";
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.sentinel-fwlogs ];
+ serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix
new file mode 100644
index 0000000..8dcf370
--- /dev/null
+++ b/nixos/modules/sentinel-minipot.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cnf = config.sentinel.minipot;
+ inherit (pkgs) sentinel-minipot;
+
+ minipotOpts = { name, port }: {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel ${name} Minipot.
+ The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well.
+ '';
+ };
+ port = mkOption {
+ type = types.port;
+ default = port;
+ description = "The port ${name} minipot should bind to.";
+ };
+ };
+
+in {
+
+ imports = [ ./sentinel.nix ];
+
+ options = {
+ services.sentinel.minipot = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Minipot system.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+
+ http = minipotOpts { name = "HTTP"; port = 8033; };
+ ftp = minipotOpts { name = "FTP"; port = 2133; };
+ smtp = minipotOpts { name = "SMTP"; port = 5873; };
+ telnet = minipotOpts { name = "Telnet"; port = 2333; };
+ };
+ };
+
+
+ config = mkIf (config.services.sentinel.enable && cnf.enable) {
+ assertions = [
+ {
+ assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable;
+ message = "Sentinel minipot requires at least one of the protocols to be enabled";
+ }
+ ];
+
+ environment.systemPackages = [ sentinel-minipot ];
+
+ systemd.services.sentinel-minipot = {
+ description = "Turris Sentinel Minipot";
+ wantedBy = [ "multi-user.target" ];
+ path = [ sentinel-minipot ];
+ serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot"
+ + optionalString cnf.http.enable " --http=${cnf.http.port}"
+ + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}"
+ + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}"
+ + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix
new file mode 100644
index 0000000..19ef746
--- /dev/null
+++ b/nixos/modules/sentinel.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cnf = config.sentinel;
+
+in {
+
+ options = {
+
+ services.sentinel = {
+
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable the Turris Sentinel attact prevention system.
+ '';
+ };
+ deviceToken = mkOption {
+ type = types.str;
+ description = ''
+ Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
+ '';
+ };
+ sentinelCA = mkOption {
+ type = types.path;
+ default = ../sentinel-ca.pem;
+ description = ''
+ The CA certificate used with Sentinel.
+ Most of the times you do not want to modify this as it uses the
+ certificate shipped with NixOS modules.
+ '';
+ };
+
+ };
+
+ };
+
+
+ config = mkIf config.services.sentinel.enable {
+ environment.systemPackages = with pkgs; [
+ sentinel-proxy sentinel-certgen
+ ];
+
+ # TODO we should probably rather pass token using configuration file
+ systemd.services.sentinel-proxy = {
+ description = "Turris Sentinel proxy";
+ wantedBy = [ "multi-user.target" ];
+ path = [ sentinel-proxy ];
+ serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy"
+ + "--ca=${cnf.sentinelCA}"
+ + " --token=${cnf.deviceToken}";
+ };
+
+ };
+
+}
diff --git a/nixos/sentinel-ca.pem b/nixos/sentinel-ca.pem
new file mode 100644
index 0000000..8c1f6a5
--- /dev/null
+++ b/nixos/sentinel-ca.pem
@@ -0,0 +1,61 @@
+################################################################
+(Development) Sentinel CA
+
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBJigAwIBAgIJAM3oziL/qM4GMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJDWjELMAkGA1UECBMCQ1oxDzANBgNVBAcTBlByYWd1ZTEPMA0GA1UEChMG
+Q1ouTklDMQ8wDQYDVQQLEwZUdXJyaXMxFDASBgNVBAMTC1NlbnRpbmVsIENBMREw
+DwYDVQQpEwhTZW50aW5lbDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AdHVycmlzLmN6
+MB4XDTE4MDEyNjA4MzMzOVoXDTI4MDEyNDA4MzMzOVowgZYxCzAJBgNVBAYTAkNa
+MQswCQYDVQQIEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMQ8wDQYDVQQKEwZDWi5OSUMx
+DzANBgNVBAsTBlR1cnJpczEUMBIGA1UEAxMLU2VudGluZWwgQ0ExETAPBgNVBCkT
+CFNlbnRpbmVsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkB0dXJyaXMuY3owggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAwpqRmGRX8qg4lJNJNzXWwj1nVMTm
+vc2W5vjpfwr93YoSqOz4rKlO7fQs3Zbe4LleXwAZncV5lAU1EkOD24Tjb5nKeGjM
+JDvkKL0QGCuSUC1VYdbaqlhZRDNkdB6GiR/MJTHx/op1RcKqi/muc4ywbjFdf1yp
+OJ6pOoifRqEuQkumWXT3dHdE5HuSHdxFLqL4Xre7fa0fs0YXb487VWIgJq/ASQrR
+Zcj1z3oMJaQYrEnHL64NcdKUer0hzExhOdUk9/SWTtDMUWiFeDV/Kh45a781lUd8
+zI/TkG14mkOuc72y0dyoi9gOjtiJHSaKkVle47rEk+VhNA/3TsBLcQ2pA335iK96
+aFdeos3wQQaKouADye/9HsHofK2AE8aRkHPC4dK2mufqOhw36v74jAbRm3xsosDn
+TpADgVOroOV3JtNJROGCoDqOWNSnjv3Nw46acOVt7JS8Ry/7ubXAEtDYv0CPyK0z
+M7/9ztfN+ub2/fsbjJixwWcoEijDnmU1wq5zEeP64XxT49R56/ChMT0xhKXmnnlw
+ijV/EGX35xNPGRd3Wi9Z9F+zJePccVNOtobq6CQ00EuHKkFytqMNMqfe7+XxkZug
+h70eTGwSYd3iLiKsbsE/2+Eynv9Jqj7rEbzlvRYEImZjHlvSuXRDyYd7mMzbQzek
+F+APPvY9YlmEGQIDAQABo4H+MIH7MB0GA1UdDgQWBBS75bhWkQWeTeGGlxwRcO4d
+uRywjTCBywYDVR0jBIHDMIHAgBS75bhWkQWeTeGGlxwRcO4duRywjaGBnKSBmTCB
+ljELMAkGA1UEBhMCQ1oxCzAJBgNVBAgTAkNaMQ8wDQYDVQQHEwZQcmFndWUxDzAN
+BgNVBAoTBkNaLk5JQzEPMA0GA1UECxMGVHVycmlzMRQwEgYDVQQDEwtTZW50aW5l
+bCBDQTERMA8GA1UEKRMIU2VudGluZWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHR1
+cnJpcy5jeoIJAM3oziL/qM4GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggIBAIGfkxSiYMO54JUqJmRPJeFml1qs++YQP0j4bhEToOP85j7ZoxIGfFYdakr7
+RXJ5JmVceNw+MQ7JLWL0ydBvKaEYpUXVyqMYMeICxIZcB8jrgAwATxMzv5Ku5EXx
++7ee/aswCtkc5WO9c8BNLuqewCwHhplTBMSpR7BJ7zfCQnk3o1BBeXY41TcDj6/C
+oY5rDv0Zput9m9f5w0+/ukUm6O2TnUh6L622Jv8EQlEeeP1xvKLKeNQOzjEYlguI
+fXqqVXsjxToRRjY6XfOWbuxZDkEp5TXDqIqLIo2PhS4b/phXJw/S0v//oRh1YOKo
+VEu4vBpTL2pKYFdaPGGLRR0ajXUKJagkQPyy+3I4TWvqE2c1LIkpJF/PlRuets3u
+LxldSbBHLV380ubGa288ywDXI65PE4jdjaa/V1dcJ+kkgwc4BMIfFkU0LenQ8ucL
+Mh6iFfeT0iXTyU7Jm9gfn+nqHoZY4i6i3g/2Byt1Dn36RAcjGXxAO2G19roCux9d
+S42NowRqdbAVOFKjkQ2Ojk4i5FsqVkX+Ykf5jEfD/LnGZSKcHNjRIKU60Lc0r2+H
+EzKOPyTHDcUioPfuXGcl112WfqU+/HWt4nW0QEpNKCNpZ6Opsl0alpESWOBSBN6j
++SZimokYV8q+L9XhyY6Y7Q7d9Szdm269J6FrPqih15AvpnTf
+-----END CERTIFICATE-----
+
+################################################################
+Sentinel Root CA X1
+
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfWgAwIBAgIUJyxjDM9S/kHOqDp2PHlTOKUwuyQwCgYIKoZIzj0EAwMw
+aDELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklD
+LCB6LnMucC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBS
+b290IENBIFgxMB4XDTIxMDMyOTIzNTE0N1oXDTM2MDMyNTIzNTE0N1owaDELMAkG
+A1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklDLCB6LnMu
+cC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBSb290IENB
+IFgxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3RsNCfNMwh+pFZ0QFa8wCtounDkg
+gKFkI0D8yzgIEQ5iWDb3d4wP3vKB+tvjTmlXewsXYVbfLQ16PMZ6ouHfdRqUr9RE
+EYgDzAOETTVn9JLb/8IUOQlp5SpEjGM1Lkzjo2AwXjAdBgNVHQ4EFgQUYCW+fE/0
+HW/+NzFRNbPPAQe7PC4wHwYDVR0jBBgwFoAUYCW+fE/0HW/+NzFRNbPPAQe7PC4w
+DwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIw
+WhbBJ/awrC15hG6t1oU0zlbMigRbD2d8ERGQw8vvC1eNkoT1DJVoBfEfVo/C/kyq
+AjA01kbjwaFIIYNB9TwpHCw5jPAbplVq+MxorfwVjQX0yfXSZL/EJ6Krgs6E6tFw
+onY=
+-----END CERTIFICATE-----
diff --git a/pkgs/build-support/bootstrap.sh b/pkgs/build-support/bootstrap.sh
new file mode 100644
index 0000000..a1202cb
--- /dev/null
+++ b/pkgs/build-support/bootstrap.sh
@@ -0,0 +1,5 @@
+preConfigurePhases="${preConfigurePhases:-} bootstrapPhase"
+
+bootstrapPhase() {
+ ./bootstrap
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
new file mode 100644
index 0000000..81360e6
--- /dev/null
+++ b/pkgs/default.nix
@@ -0,0 +1,45 @@
+{ nixpkgs ? <nixpkgs>, nixlib ? nixpkgs.lib }:
+
+let
+ pkgs = nixpkgs // sentinelPkgs;
+ callPackage = nixlib.callPackageWith pkgs;
+
+ sentinelPkgs = with pkgs; {
+
+ bootstrapHook = callPackage (
+ { makeSetupHook, autoconf, autoconf-archive, automake, gettext, libtool }:
+ makeSetupHook
+ { deps = [ autoconf autoconf-archive automake gettext libtool ]; }
+ ./build-support/bootstrap.sh
+ ) { };
+
+ ## Libraries ##
+ logc = callPackage ./libraries/logc { };
+ logc-0_1 = logc.overrideAttrs (oldAttrs: rec {
+ version = "0.1.0";
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/logc.git";
+ rev = "v" + version;
+ sha256 = "1swjzs2249wvnqx2zvxwd7d1z22kd3512xxfvq002cvgbq78ka9a";
+ };
+ patches = [];
+ });
+ logc-libs = callPackage ./libraries/logc-libs { };
+ base64c = callPackage ./libraries/base64c { };
+ paho-mqtt-c = callPackage ./libraries/paho-mqtt-c { };
+
+ ## Sentinel applications ##
+ sentinel-certgen = python3Packages.callPackage ./sentinel/certgen { };
+ #sentinel-dynfw-client = python3Packages.callPackage ./sentinel/dynfw-client { };
+ sentinel-proxy = callPackage ./sentinel/proxy { };
+ sentinel-minipot = callPackage ./sentinel/minipot { };
+ sentinel-fwlogs = callPackage ./sentinel/fwlogs { };
+ sentinel-faillogs = callPackage ./sentinel/faillogs { };
+ turris-crypto-wrapper = callPackage ./turris/crypto-wrapper { };
+
+ ## Turris routers specific tools ##
+ libatsha204 = callPackage ./turris/libatsha204 { };
+
+ };
+
+in sentinelPkgs
diff --git a/pkgs/libraries/base64c/default.nix b/pkgs/libraries/base64c/default.nix
new file mode 100644
index 0000000..9cb6def
--- /dev/null
+++ b/pkgs/libraries/base64c/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "base64c";
+ version = "0.2.1";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/base64c";
+ description = "Base64 encoding/decoding library for C";
+ license = licenses.mit;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/base64c.git";
+ rev = "v" + version;
+ sha256 = "09qgx2qcni6cmk9mwiis843wgp3f85mh2c3sm0w37ib0bcxdvq7x";
+ };
+
+ nativeBuildInputs = [bootstrapHook pkg-config];
+ depsBuildBuild = [check];
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch b/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch
new file mode 100644
index 0000000..349bf91
--- /dev/null
+++ b/pkgs/libraries/logc-libs/0001-tests-cmzq-try-to-fix-test-failure.patch
@@ -0,0 +1,31 @@
+From ecd66fc7d0079093fc56c16233c1fb2e88879df3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz>
+Date: Thu, 24 Feb 2022 17:52:59 +0100
+Subject: [PATCH] tests/cmzq: try to fix test failure
+
+The errno seems to be possibly set by logc_czmq_init and thus we have to
+reset errno after that.
+---
+ tests/czmq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/czmq.c b/tests/czmq.c
+index b6244d1..f25ab07 100644
+--- a/tests/czmq.c
++++ b/tests/czmq.c
+@@ -10,11 +10,11 @@ char *stderr_data;
+ size_t stderr_len;
+
+ void f_setup() {
+- errno = 0;
+ orig_stderr = stderr;
+ stderr = open_memstream(&stderr_data, &stderr_len);
+ logc_czmq_init();
+ log_set_level(log_czmq, LL_DEBUG);
++ errno = 0;
+ }
+ void f_teardown() {
+ ck_assert_int_eq(errno, 0);
+--
+2.35.1
+
diff --git a/pkgs/libraries/logc-libs/default.nix b/pkgs/libraries/logc-libs/default.nix
new file mode 100644
index 0000000..f8e4a57
--- /dev/null
+++ b/pkgs/libraries/logc-libs/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config
+, logc, czmq, libevent
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "logc-libs";
+ version = "0.1.0";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/logc-libs";
+ description = "Logging for C";
+ license = licenses.mit;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/logc-libs.git";
+ rev = "v" + version;
+ sha256 = "11b89742k81wbb0mc4r13l2sviz720qgl06v4wnjwlmi9x4pzy1a";
+ };
+
+ buildInputs = [logc czmq libevent];
+ nativeBuildInputs = [bootstrapHook pkg-config];
+ depsBuildBuild = [check];
+
+ doCheck = false; # TODO the test fails due to errno being set by czmq for some reason
+ doInstallCheck = false;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch b/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch
new file mode 100644
index 0000000..3c0fafe
--- /dev/null
+++ b/pkgs/libraries/logc/0001-configure.ac-fix-cross-compilation.patch
@@ -0,0 +1,28 @@
+From 7105fb9859f4d3264dbaaee5dc7596c561dc3e1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz>
+Date: Tue, 4 Jan 2022 18:38:38 +0100
+Subject: [PATCH] configure.ac: fix cross compilation
+
+The AC_CHECK_FILE is not supported when cross compiling. We can just use
+plain AS_IF with test for the same effect.
+---
+ CHANGELOG.md | 1 +
+ configure.ac | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5946a53..b6d42ea 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -18,7 +18,7 @@ PKG_INSTALLDIR
+ AX_CHECK_COMPILE_FLAG([-std=c11], , AC_MSG_ERROR([Compiler with C11 standard support is required]))
+ AX_APPEND_FLAG([-std=c11])
+
+-AC_CHECK_FILE([${0%/*}/bootstrap],[
++AS_IF([test -x "${0%/*}/bootstrap" ],[
+ AC_PATH_PROG([GPERF], [gperf])
+ AS_IF([test -z "$GPERF"], [AC_MSG_ERROR([Missing gperf generator])])
+ ])
+--
+2.35.1
+
diff --git a/pkgs/libraries/logc/default.nix b/pkgs/libraries/logc/default.nix
new file mode 100644
index 0000000..6ffd8f4
--- /dev/null
+++ b/pkgs/libraries/logc/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config, gperf
+, libconfig
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "logc";
+ version = "0.4.0";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/logc";
+ description = "Logging for C";
+ license = licenses.mit;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/logc.git";
+ rev = "v" + version;
+ sha256 = "15nplgjgg6dxryy4yzbj4524y77ci0syi970rmbr955m9vxvhrib";
+ };
+ patches = [
+ ./0001-configure.ac-fix-cross-compilation.patch
+ ];
+
+ buildInputs = [libconfig];
+ nativeBuildInputs = [bootstrapHook pkg-config gperf];
+ depsBuildBuild = [check];
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/libraries/paho-mqtt-c/default.nix b/pkgs/libraries/paho-mqtt-c/default.nix
new file mode 100644
index 0000000..545af96
--- /dev/null
+++ b/pkgs/libraries/paho-mqtt-c/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchurl
+, cmake
+, openssl
+}:
+
+stdenv.mkDerivation rec {
+ pname = "paho-mqtt-c";
+ version = "1.3.9";
+ meta = with lib; {
+ homepage = "https://eclipse.org/paho";
+ description = "An Eclipse Paho C client library for MQTT";
+ license = licenses.epl20;
+ };
+
+ src = fetchurl {
+ url = "https://github.com/eclipse/paho.mqtt.c/archive/refs/tags/v" + version + ".tar.gz";
+ sha256 = "1v9m4mx47bhahzda5sf5zp80shbaizymfbdidm8hsvfgl5grnv1q";
+ };
+
+ buildInputs = [openssl];
+ nativeBuildInputs = [cmake];
+
+ cmakeFlags = ["-DPAHO_WITH_SSL=TRUE" "-DPAHO_HIGH_PERFORMANCE=TRUE"];
+}
diff --git a/pkgs/sentinel/certgen/default.nix b/pkgs/sentinel/certgen/default.nix
new file mode 100644
index 0000000..3818b9b
--- /dev/null
+++ b/pkgs/sentinel/certgen/default.nix
@@ -0,0 +1,25 @@
+{ buildPythonApplication, lib, fetchgit
+, python3
+, crypto-wrapper
+}:
+
+buildPythonApplication rec {
+ pname = "sentinel-certgen";
+ version = "6.2";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/certgen";
+ description = "Sentinel automated passwords and certificates retrieval";
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/certgen.git";
+ rev = "v" + version;
+ sha256 = "10ii3j3wqdib7m2fc0w599981mv9q3ahj96q4kyrn5sh18v2c7nb";
+ };
+
+ propagatedBuildInputs = with python3.pkgs; [
+ crypto-wrapper
+ six requests cryptography
+ ];
+}
diff --git a/pkgs/sentinel/dynfw-client/default.nix b/pkgs/sentinel/dynfw-client/default.nix
new file mode 100644
index 0000000..b059b6d
--- /dev/null
+++ b/pkgs/sentinel/dynfw-client/default.nix
@@ -0,0 +1,26 @@
+{ buildPythonApplication, lib, fetchgit
+, ipset
+}:
+
+buildPythonApplication rec {
+ pname = "sentinel-dynfw-client";
+ version = "1.4.0";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/dynfw-client";
+ description = "Dynamic firewall client";
+ platforms = platforms.linux;
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/dynfw-client.git";
+ rev = "v" + version;
+ sha256 = "1g0wbhsjzifvdfvig6922cl3yfj1f96yvg11s4vgiaxca9yspcmp";
+ };
+
+ buildInputs = [ipset];
+ preConfigure = ''
+ ls
+ find -type f | xargs sed -i 's#/usr/sbin/ipset#${ipset}#g'
+ '';
+}
diff --git a/pkgs/sentinel/faillogs/default.nix b/pkgs/sentinel/faillogs/default.nix
new file mode 100644
index 0000000..4b3a2d3
--- /dev/null
+++ b/pkgs/sentinel/faillogs/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config, gperf
+, logc, logc-libs, libevent, czmq, msgpack, libconfig
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "sentinel-faillogs";
+ version = "0.1.0";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/faillogs";
+ description = "Failed login attempt logs collector";
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/faillogs.git";
+ rev = "99ec41baed19cc1ca70490b2b8cd81784e7748d2";
+ sha256 = "1pp93z78qwg7arca5z70gdp5ja2jldk1rzig8r29a2fhjakd0hb2";
+ };
+
+ buildInputs = [logc logc-libs libevent czmq msgpack libconfig];
+ nativeBuildInputs = [bootstrapHook pkg-config gperf];
+ depsBuildBuild = [check];
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/sentinel/fwlogs/default.nix b/pkgs/sentinel/fwlogs/default.nix
new file mode 100644
index 0000000..6c9d529
--- /dev/null
+++ b/pkgs/sentinel/fwlogs/default.nix
@@ -0,0 +1,30 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config
+, czmq, msgpack, logc-0_1, logc-libs, libconfig, libnetfilter_log
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "sentinel-proxy";
+ version = "0.2.0";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/fwlogs";
+ description = "Firewall logs collector";
+ platforms = platforms.linux;
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/fwlogs.git";
+ rev = "v" + version;
+ sha256 = "04rlm3mlri2wz33z6jh2yh0p81lnrfpfmmfjrn4sfjwh1g21ins7";
+ };
+
+ buildInputs = [czmq msgpack logc-0_1 logc-libs libconfig libnetfilter_log];
+ nativeBuildInputs = [bootstrapHook pkg-config];
+ depsBuildBuild = [check];
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/sentinel/minipot/default.nix b/pkgs/sentinel/minipot/default.nix
new file mode 100644
index 0000000..1f26074
--- /dev/null
+++ b/pkgs/sentinel/minipot/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config, gperf
+, czmq, msgpack, libevent, base64c, logc-0_1, logc-libs
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "sentinel-minipot";
+ version = "2.2";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/minipot";
+ description = "Firewall logs collector";
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/minipot.git";
+ rev = "v" + version;
+ sha256 = "05p2q9mj8bhjapfphlrs45l691dmkpiia6ir1nnpa1pa5jy045p9";
+ };
+
+ buildInputs = [czmq msgpack libevent base64c logc-0_1 logc-libs];
+ nativeBuildInputs = [bootstrapHook pkg-config gperf];
+ depsBuildBuild = [check];
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/sentinel/proxy/default.nix b/pkgs/sentinel/proxy/default.nix
new file mode 100644
index 0000000..a3b6bf2
--- /dev/null
+++ b/pkgs/sentinel/proxy/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchgit
+, bootstrapHook, pkg-config, gperf
+, openssl, zlib, czmq, libconfig, msgpack, paho-mqtt-c
+, check
+}:
+
+stdenv.mkDerivation rec {
+ pname = "sentinel-proxy";
+ version = "1.4";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/sentinel/proxy";
+ description = "Main MQTT Sentinel client. Proxy that lives on the router and relays messages received from ZMQ to uplink server over MQTT channel.";
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/sentinel/proxy.git";
+ rev = "v" + version;
+ sha256 = "11s538yf4ydlzlx1vs9fc6hh9igf40s3v853mlcki8a28bni6xwb";
+ };
+
+ buildInputs = [openssl zlib czmq libconfig msgpack paho-mqtt-c];
+ nativeBuildInputs = [bootstrapHook pkg-config gperf];
+ depsBuildBuild = [check];
+
+ preConfigure = "./bootstrap";
+
+ doCheck = true;
+ doInstallCheck = true;
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}
diff --git a/pkgs/turris/crypto-wrapper/default.nix b/pkgs/turris/crypto-wrapper/default.nix
new file mode 100644
index 0000000..aa65b17
--- /dev/null
+++ b/pkgs/turris/crypto-wrapper/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchgit
+}:
+
+stdenv.mkDerivation rec {
+ pname = "turris-crypto-wrapper";
+ version = "0.4";
+ meta = with lib; {
+ homepage = "https://gitlab.nic.cz/turris/crypto-wrapper";
+ description = "";
+ license = licenses.gpl3;
+ };
+
+ src = fetchgit {
+ url = "https://gitlab.nic.cz/turris/crypto-wrapper.git";
+ rev = "v" + version;
+ sha256 = "1ly37cajkmgqmlj230h5az9m2m1rgvf4r0bf94yipp80wl0z215s";
+ };
+
+ buildInputs = [czmq msgpack libevent base64c logc-0_1 logc-libs];
+ nativeBuildInputs = [bootstrapHook pkg-config gperf];
+ depsBuildBuild = [check];
+
+ configureFlags = lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "--enable-tests";
+}