Burp client: Add encryptionPasswordFile option

2023-03-12 14:14:48 +01:00 · 2023-03-12 14:14:48 +01:00 · 3cab037898
parent 44c073c07c
commit 3cab037898
2 changed files with 31 additions and 4 deletions
--- a/hosts/Disco.nix
+++ b/hosts/Disco.nix
@ -98,6 +98,7 @@ in
        server = "rupert";
        sslKeyPassword = definedInPersonalDotNix;
        includes = [ "/etc/nixos" "/home" ];
+        encryptionPasswordFile = "/secrets/burp_encryption_password";
        extraConfig = ''
            working_dir_recovery_method = resume
            max_resume_attempts = 5
--- a/options/burp.nix
+++ b/options/burp.nix
@ -25,6 +25,9 @@ let
        ${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes}
        ${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes}
        nobackup = .nobackup
+        ${optionalString (cfg.client.encryptionPasswordFile != null) ''
+        encryption_password = #ENCRYPTION_PASSWORD#
+        ''}
        ${cfg.client.extraConfig}
    '';

@ -326,6 +329,14 @@ in {
                '';
            };

+            encryptionPasswordFile = mkOption {
+                type = types.nullOr types.str;
+                default = null;
+                description = ''
+                    File with a password for encrypted backups.
+                '';
+            };
+
            extraConfig = mkOption {
                type = types.lines;
                default = "";
@ -354,13 +365,28 @@ in {
            after = [ "network.target" ];
            path = [ cfg.package pkgs.nettools pkgs.openssl ];

-            preStart = ''
+            preStart = let
+                configFile = "${libDir}/burp.conf";
+                replaceSecret = "${pkgs.replace-secret}/bin/replace-secret";
+            in ''
+                prepare_config()
+                {
+                    umask 027
+                    install -Dm640 ${clientConf} '${configFile}'
+
+                    ${optionalString (cfg.client.encryptionPasswordFile != null) ''
+                    ${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
+                    ''}
+                }
+
                if [ ! -d "${libDir}" ]; then
-                    mkdir -m 0755 -p ${libDir}
+                    mkdir -m 0750 -p ${libDir}
                    mkdir -m 0700 -p ${clientCertDir}
-                    ${cfg.package}/bin/burp -c ${libDir}/burp.conf -g
+                    prepare_config
+                    ${cfg.package}/bin/burp -c '${configFile}' -g
+                else
+                    prepare_config
                fi
-                ln -f -s ${clientConf} ${libDir}/burp.conf
            '';

            serviceConfig = {