fruchti/hosts
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Burp client: Add options for client, SSL PW file

Browse source
This commit is contained in:
fruchti 2023-03-12 14:39:34 +01:00
parent 3cab037898
commit 01161228da
2 changed files with 36 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
hosts/Disco.nix
View file

@ -1,7 +1,4 @@
{ config, lib, pkgs, ... }:
let
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
in
{
imports = [
./development.nix
@ -94,10 +91,10 @@ in
services.burp.client = {
enable = true;
password = definedInPersonalDotNix;
server = "rupert";
sslKeyPassword = definedInPersonalDotNix;
includes = [ "/etc/nixos" "/home" ];
passwordFile = "/secrets/burp_client_password";
sslKeyPasswordFile = "/secrets/burp_ssl_key_password";
encryptionPasswordFile = "/secrets/burp_encryption_password";
extraConfig = ''
working_dir_recovery_method = resume

36
options/burp.nix
View file

@ -13,14 +13,14 @@ let
port = ${toString cfg.client.port}
status_port = ${toString cfg.client.statusPort}
server = ${cfg.client.server}
password = ${cfg.client.password}
password = ${if (cfg.client.passwordFile != null) then "#PASSWORD#" else cfg.client.password}
cname = ${cfg.client.clientName}
ca_burp_ca = ${cfg.package}/bin/burp_ca
ca_csr_dir = ${clientCertDir}
ssl_cert_ca = ${libDir}/ssl_cert_ca.pem
ssl_cert = ${libDir}/ssl_cert-client.pem
ssl_key = ${libDir}/ssl_cert-client.key
ssl_key_password = ${cfg.client.sslKeyPassword}
ssl_key_password = ${if (cfg.client.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.client.sslKeyPassword}
ssl_peer_cn = burpserver
${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes}
${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes}
@ -155,6 +155,15 @@ in {
'';
};
sslKeyPasswordFile = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
File to load an SSL key password for loading a certificate with encryption from.
Takes preference over `sslKeyPassword`.
'';
};
keep = mkOption {
type = types.listOf types.int;
default = [ 7 ];
@ -297,6 +306,7 @@ in {
Name the client should use to identify itself to the server.
'';
};
password = mkOption {
type = types.str;
default = "change-this-password";
@ -304,6 +314,14 @@ in {
Password used by the client for first contact with the server.
'';
};
passwordFile = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
File to load a password for the first contact from client to server from.
Takes preference over `password`.
'';
};
sslKeyPassword = mkOption {
type = types.str;
@ -312,6 +330,14 @@ in {
SSL key password for loading a certificate with encryption.
'';
};
sslKeyPasswordFile = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
File to load an SSL key password for loading a certificate with encryption from.
Takes preference over `sslKeyPassword`.
'';
};
includes = mkOption {
type = types.listOf types.str;
@ -374,6 +400,12 @@ in {
umask 027
install -Dm640 ${clientConf} '${configFile}'
${optionalString (cfg.client.passwordFile != null) ''
${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}'
''}
${optionalString (cfg.client.sslKeyPasswordFile != null) ''
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}'
''}
${optionalString (cfg.client.encryptionPasswordFile != null) ''
${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
''}