Burp client: Add options for client, SSL PW file
This commit is contained in:
parent
3cab037898
commit
01161228da
|
|
@ -1,7 +1,4 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
|
||||||
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./development.nix
|
./development.nix
|
||||||
|
|
@ -94,10 +91,10 @@ in
|
||||||
|
|
||||||
services.burp.client = {
|
services.burp.client = {
|
||||||
enable = true;
|
enable = true;
|
||||||
password = definedInPersonalDotNix;
|
|
||||||
server = "rupert";
|
server = "rupert";
|
||||||
sslKeyPassword = definedInPersonalDotNix;
|
|
||||||
includes = [ "/etc/nixos" "/home" ];
|
includes = [ "/etc/nixos" "/home" ];
|
||||||
|
passwordFile = "/secrets/burp_client_password";
|
||||||
|
sslKeyPasswordFile = "/secrets/burp_ssl_key_password";
|
||||||
encryptionPasswordFile = "/secrets/burp_encryption_password";
|
encryptionPasswordFile = "/secrets/burp_encryption_password";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
working_dir_recovery_method = resume
|
working_dir_recovery_method = resume
|
||||||
|
|
|
||||||
|
|
@ -13,14 +13,14 @@ let
|
||||||
port = ${toString cfg.client.port}
|
port = ${toString cfg.client.port}
|
||||||
status_port = ${toString cfg.client.statusPort}
|
status_port = ${toString cfg.client.statusPort}
|
||||||
server = ${cfg.client.server}
|
server = ${cfg.client.server}
|
||||||
password = ${cfg.client.password}
|
password = ${if (cfg.client.passwordFile != null) then "#PASSWORD#" else cfg.client.password}
|
||||||
cname = ${cfg.client.clientName}
|
cname = ${cfg.client.clientName}
|
||||||
ca_burp_ca = ${cfg.package}/bin/burp_ca
|
ca_burp_ca = ${cfg.package}/bin/burp_ca
|
||||||
ca_csr_dir = ${clientCertDir}
|
ca_csr_dir = ${clientCertDir}
|
||||||
ssl_cert_ca = ${libDir}/ssl_cert_ca.pem
|
ssl_cert_ca = ${libDir}/ssl_cert_ca.pem
|
||||||
ssl_cert = ${libDir}/ssl_cert-client.pem
|
ssl_cert = ${libDir}/ssl_cert-client.pem
|
||||||
ssl_key = ${libDir}/ssl_cert-client.key
|
ssl_key = ${libDir}/ssl_cert-client.key
|
||||||
ssl_key_password = ${cfg.client.sslKeyPassword}
|
ssl_key_password = ${if (cfg.client.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.client.sslKeyPassword}
|
||||||
ssl_peer_cn = burpserver
|
ssl_peer_cn = burpserver
|
||||||
${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes}
|
${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes}
|
||||||
${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes}
|
${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes}
|
||||||
|
|
@ -155,6 +155,15 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sslKeyPasswordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = mdDoc ''
|
||||||
|
File to load an SSL key password for loading a certificate with encryption from.
|
||||||
|
Takes preference over `sslKeyPassword`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
keep = mkOption {
|
keep = mkOption {
|
||||||
type = types.listOf types.int;
|
type = types.listOf types.int;
|
||||||
default = [ 7 ];
|
default = [ 7 ];
|
||||||
|
|
@ -297,6 +306,7 @@ in {
|
||||||
Name the client should use to identify itself to the server.
|
Name the client should use to identify itself to the server.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
password = mkOption {
|
password = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "change-this-password";
|
default = "change-this-password";
|
||||||
|
|
@ -304,6 +314,14 @@ in {
|
||||||
Password used by the client for first contact with the server.
|
Password used by the client for first contact with the server.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
passwordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = mdDoc ''
|
||||||
|
File to load a password for the first contact from client to server from.
|
||||||
|
Takes preference over `password`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
sslKeyPassword = mkOption {
|
sslKeyPassword = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
|
@ -312,6 +330,14 @@ in {
|
||||||
SSL key password for loading a certificate with encryption.
|
SSL key password for loading a certificate with encryption.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
sslKeyPasswordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = mdDoc ''
|
||||||
|
File to load an SSL key password for loading a certificate with encryption from.
|
||||||
|
Takes preference over `sslKeyPassword`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
includes = mkOption {
|
includes = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
|
|
@ -374,6 +400,12 @@ in {
|
||||||
umask 027
|
umask 027
|
||||||
install -Dm640 ${clientConf} '${configFile}'
|
install -Dm640 ${clientConf} '${configFile}'
|
||||||
|
|
||||||
|
${optionalString (cfg.client.passwordFile != null) ''
|
||||||
|
${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}'
|
||||||
|
''}
|
||||||
|
${optionalString (cfg.client.sslKeyPasswordFile != null) ''
|
||||||
|
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}'
|
||||||
|
''}
|
||||||
${optionalString (cfg.client.encryptionPasswordFile != null) ''
|
${optionalString (cfg.client.encryptionPasswordFile != null) ''
|
||||||
${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
|
${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
|
||||||
''}
|
''}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue