From 01161228da3c1435c9c2aa229b8a103f8bf0af1d Mon Sep 17 00:00:00 2001 From: fruchti Date: Sun, 12 Mar 2023 14:39:34 +0100 Subject: [PATCH] Burp client: Add options for client, SSL PW file --- hosts/Disco.nix | 7 ++----- options/burp.nix | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/hosts/Disco.nix b/hosts/Disco.nix index 06249f5..b90299c 100644 --- a/hosts/Disco.nix +++ b/hosts/Disco.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: -let - definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix"); -in { imports = [ ./development.nix @@ -94,10 +91,10 @@ in services.burp.client = { enable = true; - password = definedInPersonalDotNix; server = "rupert"; - sslKeyPassword = definedInPersonalDotNix; includes = [ "/etc/nixos" "/home" ]; + passwordFile = "/secrets/burp_client_password"; + sslKeyPasswordFile = "/secrets/burp_ssl_key_password"; encryptionPasswordFile = "/secrets/burp_encryption_password"; extraConfig = '' working_dir_recovery_method = resume diff --git a/options/burp.nix b/options/burp.nix index 2c7a078..e1f253a 100644 --- a/options/burp.nix +++ b/options/burp.nix @@ -13,14 +13,14 @@ let port = ${toString cfg.client.port} status_port = ${toString cfg.client.statusPort} server = ${cfg.client.server} - password = ${cfg.client.password} + password = ${if (cfg.client.passwordFile != null) then "#PASSWORD#" else cfg.client.password} cname = ${cfg.client.clientName} ca_burp_ca = ${cfg.package}/bin/burp_ca ca_csr_dir = ${clientCertDir} ssl_cert_ca = ${libDir}/ssl_cert_ca.pem ssl_cert = ${libDir}/ssl_cert-client.pem ssl_key = ${libDir}/ssl_cert-client.key - ssl_key_password = ${cfg.client.sslKeyPassword} + ssl_key_password = ${if (cfg.client.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.client.sslKeyPassword} ssl_peer_cn = burpserver ${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes} ${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes} @@ -155,6 +155,15 @@ in { ''; }; + sslKeyPasswordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + File to load an SSL key password for loading a certificate with encryption from. + Takes preference over `sslKeyPassword`. + ''; + }; + keep = mkOption { type = types.listOf types.int; default = [ 7 ]; @@ -297,6 +306,7 @@ in { Name the client should use to identify itself to the server. ''; }; + password = mkOption { type = types.str; default = "change-this-password"; @@ -304,6 +314,14 @@ in { Password used by the client for first contact with the server. ''; }; + passwordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + File to load a password for the first contact from client to server from. + Takes preference over `password`. + ''; + }; sslKeyPassword = mkOption { type = types.str; @@ -312,6 +330,14 @@ in { SSL key password for loading a certificate with encryption. ''; }; + sslKeyPasswordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + File to load an SSL key password for loading a certificate with encryption from. + Takes preference over `sslKeyPassword`. + ''; + }; includes = mkOption { type = types.listOf types.str; @@ -374,6 +400,12 @@ in { umask 027 install -Dm640 ${clientConf} '${configFile}' + ${optionalString (cfg.client.passwordFile != null) '' + ${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}' + ''} + ${optionalString (cfg.client.sslKeyPasswordFile != null) '' + ${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}' + ''} ${optionalString (cfg.client.encryptionPasswordFile != null) '' ${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}' ''}