diff --git a/hosts/Disco.nix b/hosts/Disco.nix index 3af4ef5..06249f5 100644 --- a/hosts/Disco.nix +++ b/hosts/Disco.nix @@ -98,6 +98,7 @@ in server = "rupert"; sslKeyPassword = definedInPersonalDotNix; includes = [ "/etc/nixos" "/home" ]; + encryptionPasswordFile = "/secrets/burp_encryption_password"; extraConfig = '' working_dir_recovery_method = resume max_resume_attempts = 5 diff --git a/options/burp.nix b/options/burp.nix index a5f09ff..2c7a078 100644 --- a/options/burp.nix +++ b/options/burp.nix @@ -25,6 +25,9 @@ let ${concatMapStringsSep "\n" (x: "include = " + x) cfg.client.includes} ${concatMapStringsSep "\n" (x: "exclude = " + x) cfg.client.excludes} nobackup = .nobackup + ${optionalString (cfg.client.encryptionPasswordFile != null) '' + encryption_password = #ENCRYPTION_PASSWORD# + ''} ${cfg.client.extraConfig} ''; @@ -326,6 +329,14 @@ in { ''; }; + encryptionPasswordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + File with a password for encrypted backups. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -354,13 +365,28 @@ in { after = [ "network.target" ]; path = [ cfg.package pkgs.nettools pkgs.openssl ]; - preStart = '' + preStart = let + configFile = "${libDir}/burp.conf"; + replaceSecret = "${pkgs.replace-secret}/bin/replace-secret"; + in '' + prepare_config() + { + umask 027 + install -Dm640 ${clientConf} '${configFile}' + + ${optionalString (cfg.client.encryptionPasswordFile != null) '' + ${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}' + ''} + } + if [ ! -d "${libDir}" ]; then - mkdir -m 0755 -p ${libDir} + mkdir -m 0750 -p ${libDir} mkdir -m 0700 -p ${clientCertDir} - ${cfg.package}/bin/burp -c ${libDir}/burp.conf -g + prepare_config + ${cfg.package}/bin/burp -c '${configFile}' -g + else + prepare_config fi - ln -f -s ${clientConf} ${libDir}/burp.conf ''; serviceConfig = {