summaryrefslogtreecommitdiff
path: root/nixos
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2022-04-09 10:17:34 +0200
committerKarel Kočí <cynerd@email.cz>2022-04-09 10:17:34 +0200
commitbd9812fab0daea5f0911047a70494dc25089ac79 (patch)
treea96d9955b6aee8c5dcc435c551a5c2c724dd945e /nixos
downloadnixsentinel-master.tar.gz
nixsentinel-master.tar.bz2
nixsentinel-master.zip
Initial versionHEADmaster
This was taken from nixturris.
Diffstat (limited to 'nixos')
-rw-r--r--nixos/default.nix5
-rw-r--r--nixos/modules/sentinel-faillogs.nix36
-rw-r--r--nixos/modules/sentinel-fwlogs.nix41
-rw-r--r--nixos/modules/sentinel-minipot.nix72
-rw-r--r--nixos/modules/sentinel.nix60
-rw-r--r--nixos/sentinel-ca.pem61
6 files changed, 275 insertions, 0 deletions
diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..b95e12a
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,5 @@
+{
+ sentinel = import ./modules/sentinel.nix;
+ sentinel-fwlogs = import ./modules/sentinel-fwlogs.nix;
+ sentinel-minipot = import ./modules/sentinel-minipot.nix;
+}
diff --git a/nixos/modules/sentinel-faillogs.nix b/nixos/modules/sentinel-faillogs.nix
new file mode 100644
index 0000000..93ade14
--- /dev/null
+++ b/nixos/modules/sentinel-faillogs.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+ imports = [ ./sentinel.nix ];
+
+
+ options = {
+ services.sentinel.faillogs = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Fail logs collector.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+ };
+ };
+
+
+ config = mkIf config.services.sentinel.enable && config.services.sentinel.faillogs.enable {
+ environment.systemPackages = [ pkgs.sentinel-faillogs ];
+
+ systemd.services.sentinel-faillogs = {
+ description = "Turris Sentinel Fail Logs";
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.sentinel-faillogs ];
+ serviceConfig.ExecStart = "${pkgs.sentinel-faillogs}/bin/sentinel-faillogs";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix
new file mode 100644
index 0000000..d2bc864
--- /dev/null
+++ b/nixos/modules/sentinel-fwlogs.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+ imports = [ ./sentinel.nix ];
+
+
+ options = {
+ services.sentinel.fwlogs = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Firewall logs collector.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+ nflog-group = mkOption {
+ type = types.port;
+ default = 1914;
+ description = "Netfilter log group used to pass logs to sentinel-fwlogs.";
+ };
+ };
+ };
+
+
+ config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable {
+ environment.systemPackages = [ pkgs.sentinel-fwlogs ];
+
+ systemd.services.sentinel-fwlogs = {
+ description = "Turris Sentinel Firewall Logs";
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.sentinel-fwlogs ];
+ serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix
new file mode 100644
index 0000000..8dcf370
--- /dev/null
+++ b/nixos/modules/sentinel-minipot.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cnf = config.sentinel.minipot;
+ inherit (pkgs) sentinel-minipot;
+
+ minipotOpts = { name, port }: {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel ${name} Minipot.
+ The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well.
+ '';
+ };
+ port = mkOption {
+ type = types.port;
+ default = port;
+ description = "The port ${name} minipot should bind to.";
+ };
+ };
+
+in {
+
+ imports = [ ./sentinel.nix ];
+
+ options = {
+ services.sentinel.minipot = {
+ enable = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to enable the Turris Sentinel Minipot system.
+ The services.sentinel.enable has to be enabled as well.
+ '';
+ };
+
+ http = minipotOpts { name = "HTTP"; port = 8033; };
+ ftp = minipotOpts { name = "FTP"; port = 2133; };
+ smtp = minipotOpts { name = "SMTP"; port = 5873; };
+ telnet = minipotOpts { name = "Telnet"; port = 2333; };
+ };
+ };
+
+
+ config = mkIf (config.services.sentinel.enable && cnf.enable) {
+ assertions = [
+ {
+ assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable;
+ message = "Sentinel minipot requires at least one of the protocols to be enabled";
+ }
+ ];
+
+ environment.systemPackages = [ sentinel-minipot ];
+
+ systemd.services.sentinel-minipot = {
+ description = "Turris Sentinel Minipot";
+ wantedBy = [ "multi-user.target" ];
+ path = [ sentinel-minipot ];
+ serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot"
+ + optionalString cnf.http.enable " --http=${cnf.http.port}"
+ + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}"
+ + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}"
+ + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}";
+ };
+
+ };
+
+}
diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix
new file mode 100644
index 0000000..19ef746
--- /dev/null
+++ b/nixos/modules/sentinel.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cnf = config.sentinel;
+
+in {
+
+ options = {
+
+ services.sentinel = {
+
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable the Turris Sentinel attact prevention system.
+ '';
+ };
+ deviceToken = mkOption {
+ type = types.str;
+ description = ''
+ Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
+ '';
+ };
+ sentinelCA = mkOption {
+ type = types.path;
+ default = ../sentinel-ca.pem;
+ description = ''
+ The CA certificate used with Sentinel.
+ Most of the times you do not want to modify this as it uses the
+ certificate shipped with NixOS modules.
+ '';
+ };
+
+ };
+
+ };
+
+
+ config = mkIf config.services.sentinel.enable {
+ environment.systemPackages = with pkgs; [
+ sentinel-proxy sentinel-certgen
+ ];
+
+ # TODO we should probably rather pass token using configuration file
+ systemd.services.sentinel-proxy = {
+ description = "Turris Sentinel proxy";
+ wantedBy = [ "multi-user.target" ];
+ path = [ sentinel-proxy ];
+ serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy"
+ + "--ca=${cnf.sentinelCA}"
+ + " --token=${cnf.deviceToken}";
+ };
+
+ };
+
+}
diff --git a/nixos/sentinel-ca.pem b/nixos/sentinel-ca.pem
new file mode 100644
index 0000000..8c1f6a5
--- /dev/null
+++ b/nixos/sentinel-ca.pem
@@ -0,0 +1,61 @@
+################################################################
+(Development) Sentinel CA
+
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBJigAwIBAgIJAM3oziL/qM4GMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJDWjELMAkGA1UECBMCQ1oxDzANBgNVBAcTBlByYWd1ZTEPMA0GA1UEChMG
+Q1ouTklDMQ8wDQYDVQQLEwZUdXJyaXMxFDASBgNVBAMTC1NlbnRpbmVsIENBMREw
+DwYDVQQpEwhTZW50aW5lbDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AdHVycmlzLmN6
+MB4XDTE4MDEyNjA4MzMzOVoXDTI4MDEyNDA4MzMzOVowgZYxCzAJBgNVBAYTAkNa
+MQswCQYDVQQIEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMQ8wDQYDVQQKEwZDWi5OSUMx
+DzANBgNVBAsTBlR1cnJpczEUMBIGA1UEAxMLU2VudGluZWwgQ0ExETAPBgNVBCkT
+CFNlbnRpbmVsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkB0dXJyaXMuY3owggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAwpqRmGRX8qg4lJNJNzXWwj1nVMTm
+vc2W5vjpfwr93YoSqOz4rKlO7fQs3Zbe4LleXwAZncV5lAU1EkOD24Tjb5nKeGjM
+JDvkKL0QGCuSUC1VYdbaqlhZRDNkdB6GiR/MJTHx/op1RcKqi/muc4ywbjFdf1yp
+OJ6pOoifRqEuQkumWXT3dHdE5HuSHdxFLqL4Xre7fa0fs0YXb487VWIgJq/ASQrR
+Zcj1z3oMJaQYrEnHL64NcdKUer0hzExhOdUk9/SWTtDMUWiFeDV/Kh45a781lUd8
+zI/TkG14mkOuc72y0dyoi9gOjtiJHSaKkVle47rEk+VhNA/3TsBLcQ2pA335iK96
+aFdeos3wQQaKouADye/9HsHofK2AE8aRkHPC4dK2mufqOhw36v74jAbRm3xsosDn
+TpADgVOroOV3JtNJROGCoDqOWNSnjv3Nw46acOVt7JS8Ry/7ubXAEtDYv0CPyK0z
+M7/9ztfN+ub2/fsbjJixwWcoEijDnmU1wq5zEeP64XxT49R56/ChMT0xhKXmnnlw
+ijV/EGX35xNPGRd3Wi9Z9F+zJePccVNOtobq6CQ00EuHKkFytqMNMqfe7+XxkZug
+h70eTGwSYd3iLiKsbsE/2+Eynv9Jqj7rEbzlvRYEImZjHlvSuXRDyYd7mMzbQzek
+F+APPvY9YlmEGQIDAQABo4H+MIH7MB0GA1UdDgQWBBS75bhWkQWeTeGGlxwRcO4d
+uRywjTCBywYDVR0jBIHDMIHAgBS75bhWkQWeTeGGlxwRcO4duRywjaGBnKSBmTCB
+ljELMAkGA1UEBhMCQ1oxCzAJBgNVBAgTAkNaMQ8wDQYDVQQHEwZQcmFndWUxDzAN
+BgNVBAoTBkNaLk5JQzEPMA0GA1UECxMGVHVycmlzMRQwEgYDVQQDEwtTZW50aW5l
+bCBDQTERMA8GA1UEKRMIU2VudGluZWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHR1
+cnJpcy5jeoIJAM3oziL/qM4GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggIBAIGfkxSiYMO54JUqJmRPJeFml1qs++YQP0j4bhEToOP85j7ZoxIGfFYdakr7
+RXJ5JmVceNw+MQ7JLWL0ydBvKaEYpUXVyqMYMeICxIZcB8jrgAwATxMzv5Ku5EXx
++7ee/aswCtkc5WO9c8BNLuqewCwHhplTBMSpR7BJ7zfCQnk3o1BBeXY41TcDj6/C
+oY5rDv0Zput9m9f5w0+/ukUm6O2TnUh6L622Jv8EQlEeeP1xvKLKeNQOzjEYlguI
+fXqqVXsjxToRRjY6XfOWbuxZDkEp5TXDqIqLIo2PhS4b/phXJw/S0v//oRh1YOKo
+VEu4vBpTL2pKYFdaPGGLRR0ajXUKJagkQPyy+3I4TWvqE2c1LIkpJF/PlRuets3u
+LxldSbBHLV380ubGa288ywDXI65PE4jdjaa/V1dcJ+kkgwc4BMIfFkU0LenQ8ucL
+Mh6iFfeT0iXTyU7Jm9gfn+nqHoZY4i6i3g/2Byt1Dn36RAcjGXxAO2G19roCux9d
+S42NowRqdbAVOFKjkQ2Ojk4i5FsqVkX+Ykf5jEfD/LnGZSKcHNjRIKU60Lc0r2+H
+EzKOPyTHDcUioPfuXGcl112WfqU+/HWt4nW0QEpNKCNpZ6Opsl0alpESWOBSBN6j
++SZimokYV8q+L9XhyY6Y7Q7d9Szdm269J6FrPqih15AvpnTf
+-----END CERTIFICATE-----
+
+################################################################
+Sentinel Root CA X1
+
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfWgAwIBAgIUJyxjDM9S/kHOqDp2PHlTOKUwuyQwCgYIKoZIzj0EAwMw
+aDELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklD
+LCB6LnMucC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBS
+b290IENBIFgxMB4XDTIxMDMyOTIzNTE0N1oXDTM2MDMyNTIzNTE0N1owaDELMAkG
+A1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklDLCB6LnMu
+cC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBSb290IENB
+IFgxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3RsNCfNMwh+pFZ0QFa8wCtounDkg
+gKFkI0D8yzgIEQ5iWDb3d4wP3vKB+tvjTmlXewsXYVbfLQ16PMZ6ouHfdRqUr9RE
+EYgDzAOETTVn9JLb/8IUOQlp5SpEjGM1Lkzjo2AwXjAdBgNVHQ4EFgQUYCW+fE/0
+HW/+NzFRNbPPAQe7PC4wHwYDVR0jBBgwFoAUYCW+fE/0HW/+NzFRNbPPAQe7PC4w
+DwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIw
+WhbBJ/awrC15hG6t1oU0zlbMigRbD2d8ERGQw8vvC1eNkoT1DJVoBfEfVo/C/kyq
+AjA01kbjwaFIIYNB9TwpHCw5jPAbplVq+MxorfwVjQX0yfXSZL/EJ6Krgs6E6tFw
+onY=
+-----END CERTIFICATE-----