From bd9812fab0daea5f0911047a70494dc25089ac79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 9 Apr 2022 10:17:34 +0200 Subject: Initial version This was taken from nixturris. --- nixos/modules/sentinel.nix | 60 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 nixos/modules/sentinel.nix (limited to 'nixos/modules/sentinel.nix') diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix new file mode 100644 index 0000000..19ef746 --- /dev/null +++ b/nixos/modules/sentinel.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cnf = config.sentinel; + +in { + + options = { + + services.sentinel = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the Turris Sentinel attact prevention system. + ''; + }; + deviceToken = mkOption { + type = types.str; + description = '' + Turris Sentinel token. You can use `sentinel-device-token -c` to get new one. + ''; + }; + sentinelCA = mkOption { + type = types.path; + default = ../sentinel-ca.pem; + description = '' + The CA certificate used with Sentinel. + Most of the times you do not want to modify this as it uses the + certificate shipped with NixOS modules. + ''; + }; + + }; + + }; + + + config = mkIf config.services.sentinel.enable { + environment.systemPackages = with pkgs; [ + sentinel-proxy sentinel-certgen + ]; + + # TODO we should probably rather pass token using configuration file + systemd.services.sentinel-proxy = { + description = "Turris Sentinel proxy"; + wantedBy = [ "multi-user.target" ]; + path = [ sentinel-proxy ]; + serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy" + + "--ca=${cnf.sentinelCA}" + + " --token=${cnf.deviceToken}"; + }; + + }; + +} -- cgit v1.2.3