From ff291dd912093b2d7f4a1d3924e0893aed1d8a94 Mon Sep 17 00:00:00 2001 From: fruchti Date: Sun, 12 Mar 2023 15:41:36 +0100 Subject: [PATCH] Rupert, burp server: Use password files as well --- hosts/Rupert.nix | 3 +- hosts/burp-server.nix | 32 +++++++---------- options/burp.nix | 83 ++++++++++++++++++++++++++++++++----------- 3 files changed, 76 insertions(+), 42 deletions(-) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index 0553dce..ff42c3e 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -47,7 +47,8 @@ in services.burp.client = { enable = true; - password = config.services.burp.server.clients."${config.networking.hostName}".password; + passwordFile = "/secrets/burp_client_passwords/${config.networking.hostName}"; + sslKeyPasswordFile = "/secrets/burp_client_ssl_key_password"; }; # Flatpak diff --git a/hosts/burp-server.nix b/hosts/burp-server.nix index 7ba3fbd..7e551ab 100644 --- a/hosts/burp-server.nix +++ b/hosts/burp-server.nix @@ -1,32 +1,24 @@ { config, lib, ... }: -let - definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix"); -in { services.burp.server = { enable = true; dataDirectory = "/data/burp"; - sslKeyPassword = definedInPersonalDotNix; + sslKeyPasswordFile = "/secrets/burp_server_ssl_key_password"; workingDirRecoveryMethod = "resume"; maxResumeAttempts = 3; keep = [ 14 4 6 2 ]; - clients = { - ${config.networking.hostName} = { - password = definedInPersonalDotNix; + clients = lib.listToAttrs (map (client: { + name = client; + value = { + passwordFile = "/secrets/burp_client_passwords/${client}"; }; - Pullach = { - password = definedInPersonalDotNix; - }; - Disco = { - password = definedInPersonalDotNix; - }; - Berthold = { - password = definedInPersonalDotNix; - }; - Ernesto = { - password = definedInPersonalDotNix; - }; - }; + }) [ + config.networking.hostName + "Pullach" + "Disco" + "Berthold" + "Ernesto" + ]); superClients = [ config.networking.hostName ]; diff --git a/options/burp.nix b/options/burp.nix index e1f253a..0b598fb 100644 --- a/options/burp.nix +++ b/options/burp.nix @@ -89,7 +89,7 @@ let ssl_cert = ${serverHome}/ssl_cert-server.pem ssl_key = ${serverHome}/ssl_cert-server.key ssl_dhfile = ${serverHome}/dhfile.pem - ssl_key_password = ${cfg.server.sslKeyPassword} + ssl_key_password = ${if (cfg.server.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.server.sslKeyPassword} ${concatMapStringsSep "\n" (x: "keep = " + toString x) cfg.server.keep} timer_script = ${cfg.server.timerScript} @@ -106,7 +106,7 @@ let ''; clientConfigs = lib.attrsets.mapAttrs (name: config: (pkgs.writeText name '' - password = ${config.password} + password = ${if (config.passwordFile != null) then "#PASSWORD#" else config.password} ${config.extraConfig} '')) cfg.server.clients; @@ -154,7 +154,6 @@ in { SSL key password for loading a certificate with encryption. ''; }; - sslKeyPasswordFile = mkOption { type = types.nullOr types.str; default = null; @@ -238,6 +237,14 @@ in { Password used by the client for first contact with the server. ''; }; + passwordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = mdDoc '' + File to load a password for the first contact from client to server from. + Takes preference over `password`. + ''; + }; extraConfig = mkOption { type = types.lines; @@ -401,13 +408,13 @@ in { install -Dm640 ${clientConf} '${configFile}' ${optionalString (cfg.client.passwordFile != null) '' - ${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}' + ${replaceSecret} '#PASSWORD#' '${cfg.client.passwordFile}' '${configFile}' ''} ${optionalString (cfg.client.sslKeyPasswordFile != null) '' - ${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}' + ${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.client.sslKeyPasswordFile}' '${configFile}' ''} ${optionalString (cfg.client.encryptionPasswordFile != null) '' - ${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}' + ${replaceSecret} '#ENCRYPTION_PASSWORD#' '${cfg.client.encryptionPasswordFile}' '${configFile}' ''} } @@ -449,8 +456,54 @@ in { wantedBy = [ "multi-user.target" ]; path = [ cfg.package pkgs.nettools pkgs.openssl ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/burp -F -v -c ${serverConf}"; + serviceConfig = let + configFile = "${serverHome}/burp-server.conf"; + replaceSecret = "${pkgs.replace-secret}/bin/replace-secret"; + preStartScript = pkgs.writeScript "burp-server-prestart" '' + #!/${pkgs.bash}/bin/bash + + prepare_data_directory() + { + if ! [ -d "${cfg.server.dataDirectory}" ] ; then + mkdir -p "${cfg.server.dataDirectory}" + fi + chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}" + chmod 700 "${cfg.server.dataDirectory}" + } + + prepare_config() + { + install -Dm640 -o burp -g burp '${serverConf}' '${configFile}' + + ${optionalString (cfg.server.sslKeyPasswordFile != null) '' + ${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.server.sslKeyPasswordFile}' '${configFile}' + ''} + } + + prepare_client_configs() + { + umask 077 + + if ! [ -d "${serverClientConfDir}" ] ; then + mkdir -p "${serverClientConfDir}" + fi + + rm -f "${serverClientConfDir}"/* + + ${concatStringsSep "\n" (mapAttrsToList(name: file: '' + install -Dm640 -o burp -g burp '${file}' '${serverClientConfDir}/${name}' + ${optionalString (cfg.server.clients.${name}.passwordFile != null) '' + ${replaceSecret} '#PASSWORD#' '${cfg.server.clients.${name}.passwordFile}' '${serverClientConfDir}/${name}' + ''} + '') clientConfigs)} + } + + prepare_data_directory + prepare_config + prepare_client_configs + ''; + in { + ExecStart = "${cfg.package}/bin/burp -F -v -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "burp"; @@ -467,19 +520,7 @@ in { serverHome ]; - ExecStartPre = "+${pkgs.writeScript "burp-prestart" '' - #!/${pkgs.bash}/bin/bash - if ! [ -d "${cfg.server.dataDirectory}" ] ; then - mkdir -p "${cfg.server.dataDirectory}" - fi - if ! [ -d "${serverClientConfDir}" ] ; then - mkdir -p "${serverClientConfDir}" - fi - chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}" - chmod 700 "${cfg.server.dataDirectory}" "${serverClientConfDir}" - ${concatStringsSep "\n" (mapAttrsToList(name: file: - "ln -fs " + file + " " + serverClientConfDir + "/" + name) clientConfigs)} - ''}"; + ExecStartPre = "+${preStartScript}"; Nice = 19; IOSchedulingClass = "idle";