Rupert, burp server: Use password files as well
This commit is contained in:
parent
01161228da
commit
ff291dd912
|
|
@ -47,7 +47,8 @@ in
|
||||||
|
|
||||||
services.burp.client = {
|
services.burp.client = {
|
||||||
enable = true;
|
enable = true;
|
||||||
password = config.services.burp.server.clients."${config.networking.hostName}".password;
|
passwordFile = "/secrets/burp_client_passwords/${config.networking.hostName}";
|
||||||
|
sslKeyPasswordFile = "/secrets/burp_client_ssl_key_password";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Flatpak
|
# Flatpak
|
||||||
|
|
|
||||||
|
|
@ -1,32 +1,24 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
|
||||||
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
services.burp.server = {
|
services.burp.server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dataDirectory = "/data/burp";
|
dataDirectory = "/data/burp";
|
||||||
sslKeyPassword = definedInPersonalDotNix;
|
sslKeyPasswordFile = "/secrets/burp_server_ssl_key_password";
|
||||||
workingDirRecoveryMethod = "resume";
|
workingDirRecoveryMethod = "resume";
|
||||||
maxResumeAttempts = 3;
|
maxResumeAttempts = 3;
|
||||||
keep = [ 14 4 6 2 ];
|
keep = [ 14 4 6 2 ];
|
||||||
clients = {
|
clients = lib.listToAttrs (map (client: {
|
||||||
${config.networking.hostName} = {
|
name = client;
|
||||||
password = definedInPersonalDotNix;
|
value = {
|
||||||
};
|
passwordFile = "/secrets/burp_client_passwords/${client}";
|
||||||
Pullach = {
|
|
||||||
password = definedInPersonalDotNix;
|
|
||||||
};
|
|
||||||
Disco = {
|
|
||||||
password = definedInPersonalDotNix;
|
|
||||||
};
|
|
||||||
Berthold = {
|
|
||||||
password = definedInPersonalDotNix;
|
|
||||||
};
|
|
||||||
Ernesto = {
|
|
||||||
password = definedInPersonalDotNix;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
}) [
|
||||||
|
config.networking.hostName
|
||||||
|
"Pullach"
|
||||||
|
"Disco"
|
||||||
|
"Berthold"
|
||||||
|
"Ernesto"
|
||||||
|
]);
|
||||||
superClients = [
|
superClients = [
|
||||||
config.networking.hostName
|
config.networking.hostName
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -89,7 +89,7 @@ let
|
||||||
ssl_cert = ${serverHome}/ssl_cert-server.pem
|
ssl_cert = ${serverHome}/ssl_cert-server.pem
|
||||||
ssl_key = ${serverHome}/ssl_cert-server.key
|
ssl_key = ${serverHome}/ssl_cert-server.key
|
||||||
ssl_dhfile = ${serverHome}/dhfile.pem
|
ssl_dhfile = ${serverHome}/dhfile.pem
|
||||||
ssl_key_password = ${cfg.server.sslKeyPassword}
|
ssl_key_password = ${if (cfg.server.sslKeyPasswordFile != null) then "#SSL_KEY_PASSWORD#" else cfg.server.sslKeyPassword}
|
||||||
|
|
||||||
${concatMapStringsSep "\n" (x: "keep = " + toString x) cfg.server.keep}
|
${concatMapStringsSep "\n" (x: "keep = " + toString x) cfg.server.keep}
|
||||||
timer_script = ${cfg.server.timerScript}
|
timer_script = ${cfg.server.timerScript}
|
||||||
|
|
@ -106,7 +106,7 @@ let
|
||||||
'';
|
'';
|
||||||
|
|
||||||
clientConfigs = lib.attrsets.mapAttrs (name: config: (pkgs.writeText name ''
|
clientConfigs = lib.attrsets.mapAttrs (name: config: (pkgs.writeText name ''
|
||||||
password = ${config.password}
|
password = ${if (config.passwordFile != null) then "#PASSWORD#" else config.password}
|
||||||
${config.extraConfig}
|
${config.extraConfig}
|
||||||
'')) cfg.server.clients;
|
'')) cfg.server.clients;
|
||||||
|
|
||||||
|
|
@ -154,7 +154,6 @@ in {
|
||||||
SSL key password for loading a certificate with encryption.
|
SSL key password for loading a certificate with encryption.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
sslKeyPasswordFile = mkOption {
|
sslKeyPasswordFile = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
|
@ -238,6 +237,14 @@ in {
|
||||||
Password used by the client for first contact with the server.
|
Password used by the client for first contact with the server.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
passwordFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = mdDoc ''
|
||||||
|
File to load a password for the first contact from client to server from.
|
||||||
|
Takes preference over `password`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
|
|
@ -449,8 +456,54 @@ in {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ cfg.package pkgs.nettools pkgs.openssl ];
|
path = [ cfg.package pkgs.nettools pkgs.openssl ];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = let
|
||||||
ExecStart = "${cfg.package}/bin/burp -F -v -c ${serverConf}";
|
configFile = "${serverHome}/burp-server.conf";
|
||||||
|
replaceSecret = "${pkgs.replace-secret}/bin/replace-secret";
|
||||||
|
preStartScript = pkgs.writeScript "burp-server-prestart" ''
|
||||||
|
#!/${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
prepare_data_directory()
|
||||||
|
{
|
||||||
|
if ! [ -d "${cfg.server.dataDirectory}" ] ; then
|
||||||
|
mkdir -p "${cfg.server.dataDirectory}"
|
||||||
|
fi
|
||||||
|
chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
||||||
|
chmod 700 "${cfg.server.dataDirectory}"
|
||||||
|
}
|
||||||
|
|
||||||
|
prepare_config()
|
||||||
|
{
|
||||||
|
install -Dm640 -o burp -g burp '${serverConf}' '${configFile}'
|
||||||
|
|
||||||
|
${optionalString (cfg.server.sslKeyPasswordFile != null) ''
|
||||||
|
${replaceSecret} '#SSL_KEY_PASSWORD#' '${cfg.server.sslKeyPasswordFile}' '${configFile}'
|
||||||
|
''}
|
||||||
|
}
|
||||||
|
|
||||||
|
prepare_client_configs()
|
||||||
|
{
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
if ! [ -d "${serverClientConfDir}" ] ; then
|
||||||
|
mkdir -p "${serverClientConfDir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "${serverClientConfDir}"/*
|
||||||
|
|
||||||
|
${concatStringsSep "\n" (mapAttrsToList(name: file: ''
|
||||||
|
install -Dm640 -o burp -g burp '${file}' '${serverClientConfDir}/${name}'
|
||||||
|
${optionalString (cfg.server.clients.${name}.passwordFile != null) ''
|
||||||
|
${replaceSecret} '#PASSWORD#' '${cfg.server.clients.${name}.passwordFile}' '${serverClientConfDir}/${name}'
|
||||||
|
''}
|
||||||
|
'') clientConfigs)}
|
||||||
|
}
|
||||||
|
|
||||||
|
prepare_data_directory
|
||||||
|
prepare_config
|
||||||
|
prepare_client_configs
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
ExecStart = "${cfg.package}/bin/burp -F -v -c ${configFile}";
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
|
|
||||||
User = "burp";
|
User = "burp";
|
||||||
|
|
@ -467,19 +520,7 @@ in {
|
||||||
serverHome
|
serverHome
|
||||||
];
|
];
|
||||||
|
|
||||||
ExecStartPre = "+${pkgs.writeScript "burp-prestart" ''
|
ExecStartPre = "+${preStartScript}";
|
||||||
#!/${pkgs.bash}/bin/bash
|
|
||||||
if ! [ -d "${cfg.server.dataDirectory}" ] ; then
|
|
||||||
mkdir -p "${cfg.server.dataDirectory}"
|
|
||||||
fi
|
|
||||||
if ! [ -d "${serverClientConfDir}" ] ; then
|
|
||||||
mkdir -p "${serverClientConfDir}"
|
|
||||||
fi
|
|
||||||
chown burp:burp "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
|
||||||
chmod 700 "${cfg.server.dataDirectory}" "${serverClientConfDir}"
|
|
||||||
${concatStringsSep "\n" (mapAttrsToList(name: file:
|
|
||||||
"ln -fs " + file + " " + serverClientConfDir + "/" + name) clientConfigs)}
|
|
||||||
''}";
|
|
||||||
|
|
||||||
Nice = 19;
|
Nice = 19;
|
||||||
IOSchedulingClass = "idle";
|
IOSchedulingClass = "idle";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue