Rupert, burp server: Use password files as well
This commit is contained in:
parent
01161228da
commit
ff291dd912
3 changed files with 76 additions and 42 deletions
|
|
@ -47,7 +47,8 @@ in
|
|||
|
||||
services.burp.client = {
|
||||
enable = true;
|
||||
password = config.services.burp.server.clients."${config.networking.hostName}".password;
|
||||
passwordFile = "/secrets/burp_client_passwords/${config.networking.hostName}";
|
||||
sslKeyPasswordFile = "/secrets/burp_client_ssl_key_password";
|
||||
};
|
||||
|
||||
# Flatpak
|
||||
|
|
|
|||
|
|
@ -1,32 +1,24 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
|
||||
in
|
||||
{
|
||||
services.burp.server = {
|
||||
enable = true;
|
||||
dataDirectory = "/data/burp";
|
||||
sslKeyPassword = definedInPersonalDotNix;
|
||||
sslKeyPasswordFile = "/secrets/burp_server_ssl_key_password";
|
||||
workingDirRecoveryMethod = "resume";
|
||||
maxResumeAttempts = 3;
|
||||
keep = [ 14 4 6 2 ];
|
||||
clients = {
|
||||
${config.networking.hostName} = {
|
||||
password = definedInPersonalDotNix;
|
||||
clients = lib.listToAttrs (map (client: {
|
||||
name = client;
|
||||
value = {
|
||||
passwordFile = "/secrets/burp_client_passwords/${client}";
|
||||
};
|
||||
Pullach = {
|
||||
password = definedInPersonalDotNix;
|
||||
};
|
||||
Disco = {
|
||||
password = definedInPersonalDotNix;
|
||||
};
|
||||
Berthold = {
|
||||
password = definedInPersonalDotNix;
|
||||
};
|
||||
Ernesto = {
|
||||
password = definedInPersonalDotNix;
|
||||
};
|
||||
};
|
||||
}) [
|
||||
config.networking.hostName
|
||||
"Pullach"
|
||||
"Disco"
|
||||
"Berthold"
|
||||
"Ernesto"
|
||||
]);
|
||||
superClients = [
|
||||
config.networking.hostName
|
||||
];
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ let
|
|||
ssl_cert = ${serverHome}/ssl_cert-server.pem
|
||||
ssl_key = ${serverHome}/ssl_cert-server.key
|
||||
ssl_dhfile = ${serverHome}/dhfile.pem
|
||||
ssl_key_password = ${cfg.server.sslKeyPassword}
|
||||
ssl_key_password = ${if (cfg.server.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.server.sslKeyPassword}
|
||||
|
||||
${concatMapStringsSep "\n" (x: "keep = " + toString x) cfg.server.keep}
|
||||
timer_script = ${cfg.server.timerScript}
|
||||
|
|
@ -106,7 +106,7 @@ let
|
|||
'';
|
||||
|
||||
clientConfigs = lib.attrsets.mapAttrs (name: config: (pkgs.writeText name ''
|
||||
password = ${config.password}
|
||||
password = ${if (config.passwordFile != null) then "#PASSWORD#" else config.password}
|
||||
${config.extraConfig}
|
||||
'')) cfg.server.clients;
|
||||
|
||||
|
|
@ -154,7 +154,6 @@ in {
|
|||
SSL key password for loading a certificate with encryption.
|
||||
'';
|
||||
};
|
||||
|
||||
sslKeyPasswordFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
|
|
@ -238,6 +237,14 @@ in {
|
|||
Password used by the client for first contact with the server.
|
||||
'';
|
||||
};
|
||||
passwordFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = mdDoc ''
|
||||
File to load a password for the first contact from client to server from.
|
||||
Takes preference over `password`.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
|
|
@ -401,13 +408,13 @@ in {
|
|||
install -Dm640 ${clientConf} '${configFile}'
|
||||
|
||||
${optionalString (cfg.client.passwordFile != null) ''
|
||||
${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}'
|
||||
${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}'
|
||||
''}
|
||||
${optionalString (cfg.client.sslKeyPasswordFile != null) ''
|
||||
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}'
|
||||
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}'
|
||||
''}
|
||||
${optionalString (cfg.client.encryptionPasswordFile != null) ''
|
||||
${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
|
||||
${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}'
|
||||
''}
|
||||
}
|
||||
|
||||
|
|
@ -449,8 +456,54 @@ in {
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ cfg.package pkgs.nettools pkgs.openssl ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/burp -F -v -c ${serverConf}";
|
||||
serviceConfig = let
|
||||
configFile = "${serverHome}/burp-server.conf";
|
||||
replaceSecret = "${pkgs.replace-secret}/bin/replace-secret";
|
||||
preStartScript = pkgs.writeScript "burp-server-prestart" ''
|
||||
#!/${pkgs.bash}/bin/bash
|
||||
|
||||
prepare_data_directory()
|
||||
{
|
||||
if ! [ -d "${cfg.server.dataDirectory}" ] ; then
|
||||
mkdir -p "${cfg.server.dataDirectory}"
|
||||
fi
|
||||
chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
||||
chmod 700 "${cfg.server.dataDirectory}"
|
||||
}
|
||||
|
||||
prepare_config()
|
||||
{
|
||||
install -Dm640 -o burp -g burp '${serverConf}' '${configFile}'
|
||||
|
||||
${optionalString (cfg.server.sslKeyPasswordFile != null) ''
|
||||
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.server.sslKeyPasswordFile}' '${configFile}'
|
||||
''}
|
||||
}
|
||||
|
||||
prepare_client_configs()
|
||||
{
|
||||
umask 077
|
||||
|
||||
if ! [ -d "${serverClientConfDir}" ] ; then
|
||||
mkdir -p "${serverClientConfDir}"
|
||||
fi
|
||||
|
||||
rm -f "${serverClientConfDir}"/*
|
||||
|
||||
${concatStringsSep "\n" (mapAttrsToList(name: file: ''
|
||||
install -Dm640 -o burp -g burp '${file}' '${serverClientConfDir}/${name}'
|
||||
${optionalString (cfg.server.clients.${name}.passwordFile != null) ''
|
||||
${replaceSecret} '#PASSWORD#' '${cfg.server.clients.${name}.passwordFile}' '${serverClientConfDir}/${name}'
|
||||
''}
|
||||
'') clientConfigs)}
|
||||
}
|
||||
|
||||
prepare_data_directory
|
||||
prepare_config
|
||||
prepare_client_configs
|
||||
'';
|
||||
in {
|
||||
ExecStart = "${cfg.package}/bin/burp -F -v -c ${configFile}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
|
||||
User = "burp";
|
||||
|
|
@ -467,19 +520,7 @@ in {
|
|||
serverHome
|
||||
];
|
||||
|
||||
ExecStartPre = "+${pkgs.writeScript "burp-prestart" ''
|
||||
#!/${pkgs.bash}/bin/bash
|
||||
if ! [ -d "${cfg.server.dataDirectory}" ] ; then
|
||||
mkdir -p "${cfg.server.dataDirectory}"
|
||||
fi
|
||||
if ! [ -d "${serverClientConfDir}" ] ; then
|
||||
mkdir -p "${serverClientConfDir}"
|
||||
fi
|
||||
chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
||||
chmod 700 "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
||||
${concatStringsSep "\n" (mapAttrsToList(name: file:
|
||||
"ln -fs " + file + " " + serverClientConfDir + "/" + name) clientConfigs)}
|
||||
''}";
|
||||
ExecStartPre = "+${preStartScript}";
|
||||
|
||||
Nice = 19;
|
||||
IOSchedulingClass = "idle";
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue