1 files changed, 60 insertions, 0 deletions

diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix
new file mode 100644
index 0000000..19ef746
--- /dev/null
+++ b/nixos/modules/sentinel.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cnf = config.sentinel;
+
+in {
+
+  options = {
+
+    services.sentinel = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable the Turris Sentinel attact prevention system.
+        '';
+      };
+      deviceToken = mkOption {
+        type = types.str;
+        description = ''
+          Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
+        '';
+      };
+      sentinelCA = mkOption {
+        type = types.path;
+        default = ../sentinel-ca.pem;
+        description = ''
+          The CA certificate used with Sentinel.
+          Most of the times you do not want to modify this as it uses the
+          certificate shipped with NixOS modules.
+        '';
+      };
+
+    };
+
+  };
+
+
+  config = mkIf config.services.sentinel.enable {
+    environment.systemPackages = with pkgs; [
+      sentinel-proxy sentinel-certgen
+    ];
+
+    # TODO we should probably rather pass token using configuration file
+    systemd.services.sentinel-proxy = {
+      description = "Turris Sentinel proxy";
+      wantedBy = [ "multi-user.target" ];
+      path = [ sentinel-proxy ];
+      serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy"
+        + "--ca=${cnf.sentinelCA}"
+        + " --token=${cnf.deviceToken}";
+    };
+
+  };
+
+}