pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / haka.nix
at 24.11-pre 3.7 kB view raw
1# This module defines global configuration for Haka. 2 3{ config, lib, pkgs, ... }: 4 5with lib; 6 7let 8 9 cfg = config.services.haka; 10 11 haka = cfg.package; 12 13 hakaConf = pkgs.writeText "haka.conf" 14 '' 15 [general] 16 configuration = ${if lib.strings.hasPrefix "/" cfg.configFile 17 then "${cfg.configFile}" 18 else "${haka}/share/haka/sample/${cfg.configFile}"} 19 ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} 20 21 [packet] 22 ${optionalString cfg.pcap ''module = "packet/pcap"''} 23 ${optionalString cfg.nfqueue ''module = "packet/nqueue"''} 24 ${optionalString cfg.dump.enable ''dump = "yes"''} 25 ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} 26 ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} 27 28 interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}" 29 30 [log] 31 # Select the log module 32 module = "log/syslog" 33 34 # Set the default logging level 35 #level = "info,packet=debug" 36 37 [alert] 38 # Select the alert module 39 module = "alert/syslog" 40 41 # Disable alert on standard output 42 #alert_on_stdout = no 43 44 # alert/file module option 45 #file = "/dev/null" 46 ''; 47 48in 49 50{ 51 52 ###### interface 53 54 options = { 55 56 services.haka = { 57 58 enable = mkEnableOption "Haka"; 59 60 package = mkPackageOption pkgs "haka" { }; 61 62 configFile = mkOption { 63 default = "empty.lua"; 64 example = "/srv/haka/myfilter.lua"; 65 type = types.str; 66 description = '' 67 Specify which configuration file Haka uses. 68 It can be absolute path or a path relative to the sample directory of 69 the haka git repo. 70 ''; 71 }; 72 73 interfaces = mkOption { 74 default = [ "eth0" ]; 75 example = [ "any" ]; 76 type = with types; listOf str; 77 description = '' 78 Specify which interface(s) Haka listens to. 79 Use 'any' to listen to all interfaces. 80 ''; 81 }; 82 83 threads = mkOption { 84 default = 0; 85 example = 4; 86 type = types.int; 87 description = '' 88 The number of threads that will be used. 89 All system threads are used by default. 90 ''; 91 }; 92 93 pcap = mkOption { 94 default = true; 95 type = types.bool; 96 description = "Whether to enable pcap"; 97 }; 98 99 nfqueue = mkEnableOption "nfqueue"; 100 101 dump.enable = mkEnableOption "dump"; 102 dump.input = mkOption { 103 default = "/tmp/input.pcap"; 104 example = "/path/to/file.pcap"; 105 type = types.path; 106 description = "Path to file where incoming packets are dumped"; 107 }; 108 109 dump.output = mkOption { 110 default = "/tmp/output.pcap"; 111 example = "/path/to/file.pcap"; 112 type = types.path; 113 description = "Path to file where outgoing packets are dumped"; 114 }; 115 }; 116 }; 117 118 119 ###### implementation 120 121 config = mkIf cfg.enable { 122 123 assertions = [ 124 { assertion = cfg.pcap != cfg.nfqueue; 125 message = "either pcap or nfqueue can be enabled, not both."; 126 } 127 { assertion = cfg.nfqueue -> !dump.enable; 128 message = "dump can only be used with nfqueue."; 129 } 130 { assertion = cfg.interfaces != []; 131 message = "at least one interface must be specified."; 132 }]; 133 134 135 environment.systemPackages = [ haka ]; 136 137 systemd.services.haka = { 138 description = "Haka"; 139 wantedBy = [ "multi-user.target" ]; 140 after = [ "network.target" ]; 141 serviceConfig = { 142 ExecStart = "${haka}/bin/haka -c ${hakaConf}"; 143 ExecStop = "${haka}/bin/hakactl stop"; 144 User = "root"; 145 Type = "forking"; 146 }; 147 }; 148 }; 149}