From bd9812fab0daea5f0911047a70494dc25089ac79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
Date: Sat, 9 Apr 2022 10:17:34 +0200
Subject: Initial version

This was taken from nixturris.
---
 nixos/default.nix                   |  5 +++
 nixos/modules/sentinel-faillogs.nix | 36 +++++++++++++++++++
 nixos/modules/sentinel-fwlogs.nix   | 41 +++++++++++++++++++++
 nixos/modules/sentinel-minipot.nix  | 72 +++++++++++++++++++++++++++++++++++++
 nixos/modules/sentinel.nix          | 60 +++++++++++++++++++++++++++++++
 nixos/sentinel-ca.pem               | 61 +++++++++++++++++++++++++++++++
 6 files changed, 275 insertions(+)
 create mode 100644 nixos/default.nix
 create mode 100644 nixos/modules/sentinel-faillogs.nix
 create mode 100644 nixos/modules/sentinel-fwlogs.nix
 create mode 100644 nixos/modules/sentinel-minipot.nix
 create mode 100644 nixos/modules/sentinel.nix
 create mode 100644 nixos/sentinel-ca.pem

(limited to 'nixos')

diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..b95e12a
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,5 @@
+{
+  sentinel = import ./modules/sentinel.nix;
+  sentinel-fwlogs = import ./modules/sentinel-fwlogs.nix;
+  sentinel-minipot = import ./modules/sentinel-minipot.nix;
+}
diff --git a/nixos/modules/sentinel-faillogs.nix b/nixos/modules/sentinel-faillogs.nix
new file mode 100644
index 0000000..93ade14
--- /dev/null
+++ b/nixos/modules/sentinel-faillogs.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  imports = [ ./sentinel.nix ];
+
+
+  options = {
+    services.sentinel.faillogs = {
+        enable = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to enable the Turris Sentinel Fail logs collector.
+            The services.sentinel.enable has to be enabled as well.
+          '';
+        };
+      };
+  };
+
+
+  config = mkIf config.services.sentinel.enable && config.services.sentinel.faillogs.enable {
+    environment.systemPackages = [ pkgs.sentinel-faillogs ];
+
+    systemd.services.sentinel-faillogs = {
+      description = "Turris Sentinel Fail Logs";
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sentinel-faillogs ];
+      serviceConfig.ExecStart = "${pkgs.sentinel-faillogs}/bin/sentinel-faillogs";
+    };
+
+  };
+
+}
diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix
new file mode 100644
index 0000000..d2bc864
--- /dev/null
+++ b/nixos/modules/sentinel-fwlogs.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  imports = [ ./sentinel.nix ];
+
+
+  options = {
+    services.sentinel.fwlogs = {
+        enable = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to enable the Turris Sentinel Firewall logs collector.
+            The services.sentinel.enable has to be enabled as well.
+          '';
+        };
+        nflog-group = mkOption {
+          type = types.port;
+          default = 1914;
+          description = "Netfilter log group used to pass logs to sentinel-fwlogs.";
+        };
+      };
+  };
+
+
+  config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable {
+    environment.systemPackages = [ pkgs.sentinel-fwlogs ];
+
+    systemd.services.sentinel-fwlogs = {
+      description = "Turris Sentinel Firewall Logs";
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sentinel-fwlogs ];
+      serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs";
+    };
+
+  };
+
+}
diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix
new file mode 100644
index 0000000..8dcf370
--- /dev/null
+++ b/nixos/modules/sentinel-minipot.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cnf = config.sentinel.minipot;
+  inherit (pkgs) sentinel-minipot;
+
+  minipotOpts = { name, port }: {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable the Turris Sentinel ${name} Minipot.
+        The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well.
+      '';
+    };
+    port = mkOption {
+      type = types.port;
+      default = port;
+      description = "The port ${name} minipot should bind to.";
+    };
+  };
+
+in {
+
+  imports = [ ./sentinel.nix ];
+
+  options = {
+    services.sentinel.minipot = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to enable the Turris Sentinel Minipot system.
+          The services.sentinel.enable has to be enabled as well.
+        '';
+      };
+
+      http = minipotOpts { name = "HTTP"; port = 8033; };
+      ftp = minipotOpts { name = "FTP"; port = 2133; };
+      smtp = minipotOpts { name = "SMTP"; port = 5873; };
+      telnet = minipotOpts { name = "Telnet"; port = 2333; };
+    };
+  };
+
+
+  config = mkIf (config.services.sentinel.enable && cnf.enable) {
+    assertions = [
+      {
+        assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable;
+        message = "Sentinel minipot requires at least one of the protocols to be enabled";
+      }
+    ];
+
+    environment.systemPackages = [ sentinel-minipot ];
+
+    systemd.services.sentinel-minipot = {
+      description = "Turris Sentinel Minipot";
+      wantedBy = [ "multi-user.target" ];
+      path = [ sentinel-minipot ];
+      serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot"
+        + optionalString cnf.http.enable " --http=${cnf.http.port}"
+        + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}"
+        + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}"
+        + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}";
+    };
+
+  };
+
+}
diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix
new file mode 100644
index 0000000..19ef746
--- /dev/null
+++ b/nixos/modules/sentinel.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cnf = config.sentinel;
+
+in {
+
+  options = {
+
+    services.sentinel = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable the Turris Sentinel attact prevention system.
+        '';
+      };
+      deviceToken = mkOption {
+        type = types.str;
+        description = ''
+          Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
+        '';
+      };
+      sentinelCA = mkOption {
+        type = types.path;
+        default = ../sentinel-ca.pem;
+        description = ''
+          The CA certificate used with Sentinel.
+          Most of the times you do not want to modify this as it uses the
+          certificate shipped with NixOS modules.
+        '';
+      };
+
+    };
+
+  };
+
+
+  config = mkIf config.services.sentinel.enable {
+    environment.systemPackages = with pkgs; [
+      sentinel-proxy sentinel-certgen
+    ];
+
+    # TODO we should probably rather pass token using configuration file
+    systemd.services.sentinel-proxy = {
+      description = "Turris Sentinel proxy";
+      wantedBy = [ "multi-user.target" ];
+      path = [ sentinel-proxy ];
+      serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy"
+        + "--ca=${cnf.sentinelCA}"
+        + " --token=${cnf.deviceToken}";
+    };
+
+  };
+
+}
diff --git a/nixos/sentinel-ca.pem b/nixos/sentinel-ca.pem
new file mode 100644
index 0000000..8c1f6a5
--- /dev/null
+++ b/nixos/sentinel-ca.pem
@@ -0,0 +1,61 @@
+################################################################
+(Development) Sentinel CA
+
+-----BEGIN CERTIFICATE-----
+MIIGsDCCBJigAwIBAgIJAM3oziL/qM4GMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJDWjELMAkGA1UECBMCQ1oxDzANBgNVBAcTBlByYWd1ZTEPMA0GA1UEChMG
+Q1ouTklDMQ8wDQYDVQQLEwZUdXJyaXMxFDASBgNVBAMTC1NlbnRpbmVsIENBMREw
+DwYDVQQpEwhTZW50aW5lbDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AdHVycmlzLmN6
+MB4XDTE4MDEyNjA4MzMzOVoXDTI4MDEyNDA4MzMzOVowgZYxCzAJBgNVBAYTAkNa
+MQswCQYDVQQIEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMQ8wDQYDVQQKEwZDWi5OSUMx
+DzANBgNVBAsTBlR1cnJpczEUMBIGA1UEAxMLU2VudGluZWwgQ0ExETAPBgNVBCkT
+CFNlbnRpbmVsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkB0dXJyaXMuY3owggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAwpqRmGRX8qg4lJNJNzXWwj1nVMTm
+vc2W5vjpfwr93YoSqOz4rKlO7fQs3Zbe4LleXwAZncV5lAU1EkOD24Tjb5nKeGjM
+JDvkKL0QGCuSUC1VYdbaqlhZRDNkdB6GiR/MJTHx/op1RcKqi/muc4ywbjFdf1yp
+OJ6pOoifRqEuQkumWXT3dHdE5HuSHdxFLqL4Xre7fa0fs0YXb487VWIgJq/ASQrR
+Zcj1z3oMJaQYrEnHL64NcdKUer0hzExhOdUk9/SWTtDMUWiFeDV/Kh45a781lUd8
+zI/TkG14mkOuc72y0dyoi9gOjtiJHSaKkVle47rEk+VhNA/3TsBLcQ2pA335iK96
+aFdeos3wQQaKouADye/9HsHofK2AE8aRkHPC4dK2mufqOhw36v74jAbRm3xsosDn
+TpADgVOroOV3JtNJROGCoDqOWNSnjv3Nw46acOVt7JS8Ry/7ubXAEtDYv0CPyK0z
+M7/9ztfN+ub2/fsbjJixwWcoEijDnmU1wq5zEeP64XxT49R56/ChMT0xhKXmnnlw
+ijV/EGX35xNPGRd3Wi9Z9F+zJePccVNOtobq6CQ00EuHKkFytqMNMqfe7+XxkZug
+h70eTGwSYd3iLiKsbsE/2+Eynv9Jqj7rEbzlvRYEImZjHlvSuXRDyYd7mMzbQzek
+F+APPvY9YlmEGQIDAQABo4H+MIH7MB0GA1UdDgQWBBS75bhWkQWeTeGGlxwRcO4d
+uRywjTCBywYDVR0jBIHDMIHAgBS75bhWkQWeTeGGlxwRcO4duRywjaGBnKSBmTCB
+ljELMAkGA1UEBhMCQ1oxCzAJBgNVBAgTAkNaMQ8wDQYDVQQHEwZQcmFndWUxDzAN
+BgNVBAoTBkNaLk5JQzEPMA0GA1UECxMGVHVycmlzMRQwEgYDVQQDEwtTZW50aW5l
+bCBDQTERMA8GA1UEKRMIU2VudGluZWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHR1
+cnJpcy5jeoIJAM3oziL/qM4GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
+ggIBAIGfkxSiYMO54JUqJmRPJeFml1qs++YQP0j4bhEToOP85j7ZoxIGfFYdakr7
+RXJ5JmVceNw+MQ7JLWL0ydBvKaEYpUXVyqMYMeICxIZcB8jrgAwATxMzv5Ku5EXx
++7ee/aswCtkc5WO9c8BNLuqewCwHhplTBMSpR7BJ7zfCQnk3o1BBeXY41TcDj6/C
+oY5rDv0Zput9m9f5w0+/ukUm6O2TnUh6L622Jv8EQlEeeP1xvKLKeNQOzjEYlguI
+fXqqVXsjxToRRjY6XfOWbuxZDkEp5TXDqIqLIo2PhS4b/phXJw/S0v//oRh1YOKo
+VEu4vBpTL2pKYFdaPGGLRR0ajXUKJagkQPyy+3I4TWvqE2c1LIkpJF/PlRuets3u
+LxldSbBHLV380ubGa288ywDXI65PE4jdjaa/V1dcJ+kkgwc4BMIfFkU0LenQ8ucL
+Mh6iFfeT0iXTyU7Jm9gfn+nqHoZY4i6i3g/2Byt1Dn36RAcjGXxAO2G19roCux9d
+S42NowRqdbAVOFKjkQ2Ojk4i5FsqVkX+Ykf5jEfD/LnGZSKcHNjRIKU60Lc0r2+H
+EzKOPyTHDcUioPfuXGcl112WfqU+/HWt4nW0QEpNKCNpZ6Opsl0alpESWOBSBN6j
++SZimokYV8q+L9XhyY6Y7Q7d9Szdm269J6FrPqih15AvpnTf
+-----END CERTIFICATE-----
+
+################################################################
+Sentinel Root CA X1
+
+-----BEGIN CERTIFICATE-----
+MIICbjCCAfWgAwIBAgIUJyxjDM9S/kHOqDp2PHlTOKUwuyQwCgYIKoZIzj0EAwMw
+aDELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklD
+LCB6LnMucC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBS
+b290IENBIFgxMB4XDTIxMDMyOTIzNTE0N1oXDTM2MDMyNTIzNTE0N1owaDELMAkG
+A1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklDLCB6LnMu
+cC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBSb290IENB
+IFgxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3RsNCfNMwh+pFZ0QFa8wCtounDkg
+gKFkI0D8yzgIEQ5iWDb3d4wP3vKB+tvjTmlXewsXYVbfLQ16PMZ6ouHfdRqUr9RE
+EYgDzAOETTVn9JLb/8IUOQlp5SpEjGM1Lkzjo2AwXjAdBgNVHQ4EFgQUYCW+fE/0
+HW/+NzFRNbPPAQe7PC4wHwYDVR0jBBgwFoAUYCW+fE/0HW/+NzFRNbPPAQe7PC4w
+DwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIw
+WhbBJ/awrC15hG6t1oU0zlbMigRbD2d8ERGQw8vvC1eNkoT1DJVoBfEfVo/C/kyq
+AjA01kbjwaFIIYNB9TwpHCw5jPAbplVq+MxorfwVjQX0yfXSZL/EJ6Krgs6E6tFw
+onY=
+-----END CERTIFICATE-----
-- 
cgit v1.2.3