public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/services/security/haka.nix
Franz Pletz 9536169074
nixos/treewide: remove boolean examples for options 
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00

157 lines
3.8 KiB
Nix
Raw Blame History

# This module defines global configuration for Haka.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.haka;
haka = cfg.package;
hakaConf = pkgs.writeText "haka.conf"
''
[general]
configuration = ${if lib.strings.hasPrefix "/" cfg.configFile
then "${cfg.configFile}"
else "${haka}/share/haka/sample/${cfg.configFile}"}
${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}
[packet]
${optionalString cfg.pcap ''module = "packet/pcap"''}
${optionalString cfg.nfqueue ''module = "packet/nqueue"''}
${optionalString cfg.dump.enable ''dump = "yes"''}
${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}
${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}
interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"
[log]
# Select the log module
module = "log/syslog"
# Set the default logging level
#level = "info,packet=debug"
[alert]
# Select the alert module
module = "alert/syslog"
# Disable alert on standard output
#alert_on_stdout = no
# alert/file module option
#file = "/dev/null"
'';
in
{
###### interface
options = {
services.haka = {
enable = mkEnableOption "Haka";
package = mkOption {
default = pkgs.haka;
defaultText = "pkgs.haka";
type = types.package;
description = "
Which Haka derivation to use.
";
};
configFile = mkOption {
default = "empty.lua";
example = "/srv/haka/myfilter.lua";
type = types.string;
description = ''
Specify which configuration file Haka uses.
It can be absolute path or a path relative to the sample directory of
the haka git repo.
'';
};
interfaces = mkOption {
default = [ "eth0" ];
example = [ "any" ];
type = with types; listOf string;
description = ''
Specify which interface(s) Haka listens to.
Use 'any' to listen to all interfaces.
'';
};
threads = mkOption {
default = 0;
example = 4;
type = types.int;
description = ''
The number of threads that will be used.
All system threads are used by default.
'';
};
pcap = mkOption {
default = true;
type = types.bool;
description = "Whether to enable pcap";
};
nfqueue = mkEnableOption "nfqueue";
dump.enable = mkEnableOption "dump";
dump.input = mkOption {
default = "/tmp/input.pcap";
example = "/path/to/file.pcap";
type = types.path;
description = "Path to file where incoming packets are dumped";
};
dump.output = mkOption {
default = "/tmp/output.pcap";
example = "/path/to/file.pcap";
type = types.path;
description = "Path to file where outgoing packets are dumped";
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.pcap != cfg.nfqueue;
message = "either pcap or nfqueue can be enabled, not both.";
}
{ assertion = cfg.nfqueue -> !dump.enable;
message = "dump can only be used with nfqueue.";
}
{ assertion = cfg.interfaces != [];
message = "at least one interface must be specified.";
}];
environment.systemPackages = [ haka ];
systemd.services.haka = {
description = "Haka";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${haka}/bin/haka -c ${hakaConf}";
ExecStop = "${haka}/bin/hakactl stop";
User = "root";
Type = "forking";
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink