From bd9812fab0daea5f0911047a70494dc25089ac79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 9 Apr 2022 10:17:34 +0200 Subject: Initial version This was taken from nixturris. --- nixos/default.nix | 5 +++ nixos/modules/sentinel-faillogs.nix | 36 +++++++++++++++++++ nixos/modules/sentinel-fwlogs.nix | 41 +++++++++++++++++++++ nixos/modules/sentinel-minipot.nix | 72 +++++++++++++++++++++++++++++++++++++ nixos/modules/sentinel.nix | 60 +++++++++++++++++++++++++++++++ nixos/sentinel-ca.pem | 61 +++++++++++++++++++++++++++++++ 6 files changed, 275 insertions(+) create mode 100644 nixos/default.nix create mode 100644 nixos/modules/sentinel-faillogs.nix create mode 100644 nixos/modules/sentinel-fwlogs.nix create mode 100644 nixos/modules/sentinel-minipot.nix create mode 100644 nixos/modules/sentinel.nix create mode 100644 nixos/sentinel-ca.pem (limited to 'nixos') diff --git a/nixos/default.nix b/nixos/default.nix new file mode 100644 index 0000000..b95e12a --- /dev/null +++ b/nixos/default.nix @@ -0,0 +1,5 @@ +{ + sentinel = import ./modules/sentinel.nix; + sentinel-fwlogs = import ./modules/sentinel-fwlogs.nix; + sentinel-minipot = import ./modules/sentinel-minipot.nix; +} diff --git a/nixos/modules/sentinel-faillogs.nix b/nixos/modules/sentinel-faillogs.nix new file mode 100644 index 0000000..93ade14 --- /dev/null +++ b/nixos/modules/sentinel-faillogs.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + imports = [ ./sentinel.nix ]; + + + options = { + services.sentinel.faillogs = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Fail logs collector. + The services.sentinel.enable has to be enabled as well. + ''; + }; + }; + }; + + + config = mkIf config.services.sentinel.enable && config.services.sentinel.faillogs.enable { + environment.systemPackages = [ pkgs.sentinel-faillogs ]; + + systemd.services.sentinel-faillogs = { + description = "Turris Sentinel Fail Logs"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sentinel-faillogs ]; + serviceConfig.ExecStart = "${pkgs.sentinel-faillogs}/bin/sentinel-faillogs"; + }; + + }; + +} diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix new file mode 100644 index 0000000..d2bc864 --- /dev/null +++ b/nixos/modules/sentinel-fwlogs.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + imports = [ ./sentinel.nix ]; + + + options = { + services.sentinel.fwlogs = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Firewall logs collector. + The services.sentinel.enable has to be enabled as well. + ''; + }; + nflog-group = mkOption { + type = types.port; + default = 1914; + description = "Netfilter log group used to pass logs to sentinel-fwlogs."; + }; + }; + }; + + + config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable { + environment.systemPackages = [ pkgs.sentinel-fwlogs ]; + + systemd.services.sentinel-fwlogs = { + description = "Turris Sentinel Firewall Logs"; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.sentinel-fwlogs ]; + serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs"; + }; + + }; + +} diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix new file mode 100644 index 0000000..8dcf370 --- /dev/null +++ b/nixos/modules/sentinel-minipot.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cnf = config.sentinel.minipot; + inherit (pkgs) sentinel-minipot; + + minipotOpts = { name, port }: { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel ${name} Minipot. + The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well. + ''; + }; + port = mkOption { + type = types.port; + default = port; + description = "The port ${name} minipot should bind to."; + }; + }; + +in { + + imports = [ ./sentinel.nix ]; + + options = { + services.sentinel.minipot = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the Turris Sentinel Minipot system. + The services.sentinel.enable has to be enabled as well. + ''; + }; + + http = minipotOpts { name = "HTTP"; port = 8033; }; + ftp = minipotOpts { name = "FTP"; port = 2133; }; + smtp = minipotOpts { name = "SMTP"; port = 5873; }; + telnet = minipotOpts { name = "Telnet"; port = 2333; }; + }; + }; + + + config = mkIf (config.services.sentinel.enable && cnf.enable) { + assertions = [ + { + assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable; + message = "Sentinel minipot requires at least one of the protocols to be enabled"; + } + ]; + + environment.systemPackages = [ sentinel-minipot ]; + + systemd.services.sentinel-minipot = { + description = "Turris Sentinel Minipot"; + wantedBy = [ "multi-user.target" ]; + path = [ sentinel-minipot ]; + serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot" + + optionalString cnf.http.enable " --http=${cnf.http.port}" + + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}" + + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}" + + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}"; + }; + + }; + +} diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix new file mode 100644 index 0000000..19ef746 --- /dev/null +++ b/nixos/modules/sentinel.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cnf = config.sentinel; + +in { + + options = { + + services.sentinel = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the Turris Sentinel attact prevention system. + ''; + }; + deviceToken = mkOption { + type = types.str; + description = '' + Turris Sentinel token. You can use `sentinel-device-token -c` to get new one. + ''; + }; + sentinelCA = mkOption { + type = types.path; + default = ../sentinel-ca.pem; + description = '' + The CA certificate used with Sentinel. + Most of the times you do not want to modify this as it uses the + certificate shipped with NixOS modules. + ''; + }; + + }; + + }; + + + config = mkIf config.services.sentinel.enable { + environment.systemPackages = with pkgs; [ + sentinel-proxy sentinel-certgen + ]; + + # TODO we should probably rather pass token using configuration file + systemd.services.sentinel-proxy = { + description = "Turris Sentinel proxy"; + wantedBy = [ "multi-user.target" ]; + path = [ sentinel-proxy ]; + serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy" + + "--ca=${cnf.sentinelCA}" + + " --token=${cnf.deviceToken}"; + }; + + }; + +} diff --git a/nixos/sentinel-ca.pem b/nixos/sentinel-ca.pem new file mode 100644 index 0000000..8c1f6a5 --- /dev/null +++ b/nixos/sentinel-ca.pem @@ -0,0 +1,61 @@ +################################################################ +(Development) Sentinel CA + +-----BEGIN CERTIFICATE----- +MIIGsDCCBJigAwIBAgIJAM3oziL/qM4GMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD +VQQGEwJDWjELMAkGA1UECBMCQ1oxDzANBgNVBAcTBlByYWd1ZTEPMA0GA1UEChMG +Q1ouTklDMQ8wDQYDVQQLEwZUdXJyaXMxFDASBgNVBAMTC1NlbnRpbmVsIENBMREw +DwYDVQQpEwhTZW50aW5lbDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AdHVycmlzLmN6 +MB4XDTE4MDEyNjA4MzMzOVoXDTI4MDEyNDA4MzMzOVowgZYxCzAJBgNVBAYTAkNa +MQswCQYDVQQIEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMQ8wDQYDVQQKEwZDWi5OSUMx +DzANBgNVBAsTBlR1cnJpczEUMBIGA1UEAxMLU2VudGluZWwgQ0ExETAPBgNVBCkT +CFNlbnRpbmVsMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkB0dXJyaXMuY3owggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAwpqRmGRX8qg4lJNJNzXWwj1nVMTm +vc2W5vjpfwr93YoSqOz4rKlO7fQs3Zbe4LleXwAZncV5lAU1EkOD24Tjb5nKeGjM +JDvkKL0QGCuSUC1VYdbaqlhZRDNkdB6GiR/MJTHx/op1RcKqi/muc4ywbjFdf1yp +OJ6pOoifRqEuQkumWXT3dHdE5HuSHdxFLqL4Xre7fa0fs0YXb487VWIgJq/ASQrR +Zcj1z3oMJaQYrEnHL64NcdKUer0hzExhOdUk9/SWTtDMUWiFeDV/Kh45a781lUd8 +zI/TkG14mkOuc72y0dyoi9gOjtiJHSaKkVle47rEk+VhNA/3TsBLcQ2pA335iK96 +aFdeos3wQQaKouADye/9HsHofK2AE8aRkHPC4dK2mufqOhw36v74jAbRm3xsosDn +TpADgVOroOV3JtNJROGCoDqOWNSnjv3Nw46acOVt7JS8Ry/7ubXAEtDYv0CPyK0z +M7/9ztfN+ub2/fsbjJixwWcoEijDnmU1wq5zEeP64XxT49R56/ChMT0xhKXmnnlw +ijV/EGX35xNPGRd3Wi9Z9F+zJePccVNOtobq6CQ00EuHKkFytqMNMqfe7+XxkZug +h70eTGwSYd3iLiKsbsE/2+Eynv9Jqj7rEbzlvRYEImZjHlvSuXRDyYd7mMzbQzek +F+APPvY9YlmEGQIDAQABo4H+MIH7MB0GA1UdDgQWBBS75bhWkQWeTeGGlxwRcO4d +uRywjTCBywYDVR0jBIHDMIHAgBS75bhWkQWeTeGGlxwRcO4duRywjaGBnKSBmTCB +ljELMAkGA1UEBhMCQ1oxCzAJBgNVBAgTAkNaMQ8wDQYDVQQHEwZQcmFndWUxDzAN +BgNVBAoTBkNaLk5JQzEPMA0GA1UECxMGVHVycmlzMRQwEgYDVQQDEwtTZW50aW5l +bCBDQTERMA8GA1UEKRMIU2VudGluZWwxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHR1 +cnJpcy5jeoIJAM3oziL/qM4GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggIBAIGfkxSiYMO54JUqJmRPJeFml1qs++YQP0j4bhEToOP85j7ZoxIGfFYdakr7 +RXJ5JmVceNw+MQ7JLWL0ydBvKaEYpUXVyqMYMeICxIZcB8jrgAwATxMzv5Ku5EXx ++7ee/aswCtkc5WO9c8BNLuqewCwHhplTBMSpR7BJ7zfCQnk3o1BBeXY41TcDj6/C +oY5rDv0Zput9m9f5w0+/ukUm6O2TnUh6L622Jv8EQlEeeP1xvKLKeNQOzjEYlguI +fXqqVXsjxToRRjY6XfOWbuxZDkEp5TXDqIqLIo2PhS4b/phXJw/S0v//oRh1YOKo +VEu4vBpTL2pKYFdaPGGLRR0ajXUKJagkQPyy+3I4TWvqE2c1LIkpJF/PlRuets3u +LxldSbBHLV380ubGa288ywDXI65PE4jdjaa/V1dcJ+kkgwc4BMIfFkU0LenQ8ucL +Mh6iFfeT0iXTyU7Jm9gfn+nqHoZY4i6i3g/2Byt1Dn36RAcjGXxAO2G19roCux9d +S42NowRqdbAVOFKjkQ2Ojk4i5FsqVkX+Ykf5jEfD/LnGZSKcHNjRIKU60Lc0r2+H +EzKOPyTHDcUioPfuXGcl112WfqU+/HWt4nW0QEpNKCNpZ6Opsl0alpESWOBSBN6j ++SZimokYV8q+L9XhyY6Y7Q7d9Szdm269J6FrPqih15AvpnTf +-----END CERTIFICATE----- + +################################################################ +Sentinel Root CA X1 + +-----BEGIN CERTIFICATE----- +MIICbjCCAfWgAwIBAgIUJyxjDM9S/kHOqDp2PHlTOKUwuyQwCgYIKoZIzj0EAwMw +aDELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklD +LCB6LnMucC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBS +b290IENBIFgxMB4XDTIxMDMyOTIzNTE0N1oXDTM2MDMyNTIzNTE0N1owaDELMAkG +A1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEZMBcGA1UECgwQQ1ouTklDLCB6LnMu +cC5vLjEPMA0GA1UECwwGVHVycmlzMRwwGgYDVQQDDBNTZW50aW5lbCBSb290IENB +IFgxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3RsNCfNMwh+pFZ0QFa8wCtounDkg +gKFkI0D8yzgIEQ5iWDb3d4wP3vKB+tvjTmlXewsXYVbfLQ16PMZ6ouHfdRqUr9RE +EYgDzAOETTVn9JLb/8IUOQlp5SpEjGM1Lkzjo2AwXjAdBgNVHQ4EFgQUYCW+fE/0 +HW/+NzFRNbPPAQe7PC4wHwYDVR0jBBgwFoAUYCW+fE/0HW/+NzFRNbPPAQe7PC4w +DwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIw +WhbBJ/awrC15hG6t1oU0zlbMigRbD2d8ERGQw8vvC1eNkoT1DJVoBfEfVo/C/kyq +AjA01kbjwaFIIYNB9TwpHCw5jPAbplVq+MxorfwVjQX0yfXSZL/EJ6Krgs6E6tFw +onY= +-----END CERTIFICATE----- -- cgit v1.2.3