hosts/hosts/burp-server.nix

49 lines
1.4 KiB
Nix

{ config, lib, pkgs, ... }:
{
services.burp.server = {
enable = true;
dataDirectory = "/data/burp";
sslKeyPasswordFile = "/secrets/burp_server_ssl_key_password";
workingDirRecoveryMethod = "resume";
maxResumeAttempts = 3;
keep = [ 14 4 6 2 ];
clients = lib.listToAttrs (map (client: {
name = client;
value = {
passwordFile = "/secrets/burp_client_passwords/${client}";
};
}) [
config.networking.hostName
"Pullach"
"Disco"
"Berthold"
"Ernesto"
"Emitter"
]);
superClients = [
config.networking.hostName
];
timerArgs = [
"20h"
"Mon,Tue,Wed,Thu,Fri,Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23"
];
};
# Used for other clients to open an SSH tunnel to the burp server
users.users.burp-remote = {
isNormalUser = false;
isSystemUser = true;
createHome = false;
group = "nogroup";
# A shell is necessary for the user to run `sleep`
shell = pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItwImll4vcrfRQZjf6zkEGJswpL9EdWRiibXtjis99J root@Emitter"
];
};
services.openssh.extraConfig = ''
Match User burp-remote
ForceCommand ${pkgs.coreutils}/bin/sleep 10
'';
}