-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add IDS-VM as a defensive networking mechanism
Signed-off-by: Risto Kuusela <risto.kuusela@unikie.com>
- Loading branch information
Showing
13 changed files
with
346 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -57,6 +57,7 @@ | |
pkgs.waypipe | ||
pkgs.networkmanagerapplet | ||
pkgs.nm-launcher | ||
pkgs.mitmweb-ui | ||
]; | ||
}; | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,167 @@ | ||
# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
config, | ||
lib, | ||
pkgs, | ||
... | ||
}: let | ||
configHost = config; | ||
vmName = "ids-vm"; | ||
macAddress = "02:00:00:01:01:02"; | ||
networkName = "ethint0"; | ||
idsvmBaseConfiguration = { | ||
imports = [ | ||
# (import ./common/vm-networking.nix {inherit vmName macAddress useDHCP;}) | ||
({lib, ...}: { | ||
ghaf = { | ||
users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; | ||
development = { | ||
# NOTE: SSH port also becomes accessible on the network interface | ||
# that has been passed through to NetVM | ||
ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; | ||
debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; | ||
}; | ||
}; | ||
|
||
system.stateVersion = lib.trivial.release; | ||
|
||
nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; | ||
nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; | ||
|
||
microvm.hypervisor = "qemu"; | ||
|
||
environment.systemPackages = lib.mkIf config.ghaf.profiles.debug.enable [ | ||
pkgs.mitmproxy | ||
pkgs.snort | ||
pkgs.tcpdump | ||
]; | ||
|
||
networking = { | ||
enableIPv6 = false; | ||
firewall.allowedTCPPorts = [22 8080 8081]; # SSH, mitmproxy, mitmweb | ||
firewall.allowedUDPPorts = [67]; | ||
useNetworkd = true; | ||
nat = { | ||
enable = true; | ||
internalInterfaces = [networkName]; | ||
extraCommands = '' | ||
iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 80 -j REDIRECT --to-port 8080 | ||
iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 443 -j REDIRECT --to-port 8080 | ||
''; | ||
}; | ||
}; | ||
|
||
# Here we add default CA keypair and corresponding self-signed certificate | ||
# for mitmproxy in different formats. These should be, of course, randomly and | ||
# securely generated and stored for each instance, but for development purposes | ||
# we use these fixed ones. | ||
environment.etc = { | ||
"mitmproxy/mitmproxy-ca-cert.cer".source = ./mitmproxy-ca/mitmproxy-ca-cert.cer; | ||
"mitmproxy/mitmproxy-ca-cert.p12".source = ./mitmproxy-ca/mitmproxy-ca-cert.p12; | ||
"mitmproxy/mitmproxy-ca-cert.pem".source = ./mitmproxy-ca/mitmproxy-ca-cert.pem; | ||
"mitmproxy/mitmproxy-ca.pem".source = ./mitmproxy-ca/mitmproxy-ca.pem; | ||
"mitmproxy/mitmproxy-ca.p12".source = ./mitmproxy-ca/mitmproxy-ca.p12; | ||
"mitmproxy/mitmproxy-dhparam.pem".source = ./mitmproxy-ca/mitmproxy-dhparam.pem; | ||
}; | ||
|
||
systemd.services."mitmweb-server" = let | ||
mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" '' | ||
${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port 8081 --set confdir=/etc/mitmproxy | ||
''; | ||
in { | ||
enable = true; | ||
description = "Run mitmweb to establish web interface for mitmproxy"; | ||
path = [mitmwebScript]; | ||
wantedBy = ["multi-user.target"]; | ||
serviceConfig = { | ||
Type = "simple"; | ||
# RemainAfterExit = true; | ||
StandardOutput = "journal"; | ||
StandardError = "journal"; | ||
ExecStart = "${mitmwebScript}/bin/mitmweb-server"; | ||
Restart = "on-failure"; | ||
RestartSec = "1"; | ||
}; | ||
}; | ||
|
||
microvm.interfaces = [ | ||
{ | ||
type = "tap"; | ||
# The interface names must have maximum length of 15 characters | ||
id = "tap-${vmName}"; | ||
mac = macAddress; | ||
} | ||
]; | ||
|
||
systemd.network = { | ||
enable = true; | ||
# Set internal network's interface name to networkName | ||
links."10-${networkName}" = { | ||
matchConfig.PermanentMACAddress = macAddress; | ||
linkConfig.Name = networkName; | ||
}; | ||
networks."10-${networkName}" = { | ||
matchConfig.MACAddress = macAddress; | ||
DHCP = "no"; | ||
gateway = ["192.168.100.1"]; | ||
addresses = [ | ||
{ | ||
addressConfig.Address = "192.168.100.3/24"; | ||
} | ||
{ | ||
# IP-address for debugging subnet | ||
addressConfig.Address = "192.168.101.4/24"; | ||
} | ||
]; | ||
linkConfig.RequiredForOnline = "routable"; | ||
linkConfig.ActivationPolicy = "always-up"; | ||
}; | ||
}; | ||
|
||
services.resolved.dnssec = "false"; | ||
|
||
microvm = { | ||
optimize.enable = true; | ||
shares = [ | ||
{ | ||
tag = "ro-store"; | ||
source = "/nix/store"; | ||
mountPoint = "/nix/.ro-store"; | ||
} | ||
]; | ||
writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; | ||
}; | ||
|
||
imports = import ../../module-list.nix; | ||
}) | ||
]; | ||
}; | ||
cfg = config.ghaf.virtualization.microvm.idsvm; | ||
in { | ||
options.ghaf.virtualization.microvm.idsvm = { | ||
enable = lib.mkEnableOption "IDSVM"; | ||
|
||
extraModules = lib.mkOption { | ||
description = '' | ||
List of additional modules to be imported and evaluated as part of | ||
IDSVM's NixOS configuration. | ||
''; | ||
default = []; | ||
}; | ||
}; | ||
|
||
config = lib.mkIf cfg.enable { | ||
microvm.vms."${vmName}" = { | ||
autostart = true; | ||
config = | ||
idsvmBaseConfiguration | ||
// { | ||
imports = | ||
idsvmBaseConfiguration.imports | ||
++ cfg.extraModules; | ||
}; | ||
specialArgs = {inherit lib;}; | ||
}; | ||
}; | ||
} |
20 changes: 20 additions & 0 deletions
20
modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL | ||
BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN | ||
MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv | ||
eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC | ||
AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i | ||
0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 | ||
B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU | ||
KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr | ||
9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC | ||
iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB | ||
/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE | ||
FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S | ||
Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo | ||
WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB | ||
vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 | ||
7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 | ||
cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA | ||
+PqFqfsCDYU1 | ||
-----END CERTIFICATE----- |
Binary file not shown.
20 changes: 20 additions & 0 deletions
20
modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL | ||
BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN | ||
MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv | ||
eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC | ||
AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i | ||
0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 | ||
B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU | ||
KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr | ||
9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC | ||
iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB | ||
/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE | ||
FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S | ||
Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo | ||
WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB | ||
vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 | ||
7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 | ||
cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA | ||
+PqFqfsCDYU1 | ||
-----END CERTIFICATE----- |
Binary file not shown.
47 changes: 47 additions & 0 deletions
47
modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
-----BEGIN RSA PRIVATE KEY----- | ||
MIIEpAIBAAKCAQEA4+ScTpL5qd+vnaI7nxWw8FwqtNulYJXU0+alaHpiZnG7MDci | ||
M27xf2LQHJWC63Kyashdaq3sQ52zy8KosJff6kYHpew0wLiSyfjZIfpCZZRNmLNS | ||
MIj7tzYHV9jHNTlpobZn1MO18TF1aqcdHRzR1NHtzYhR4fuqDL/yhK6RB4V2Gn+P | ||
935yixQq1fEyX2+TjCKx4tFLYkFv5Ap0z5N00oukBmZhPrxYgg8H/RWzGjVl5J/w | ||
DgosSWv3P2iSxPlE9kCS6pXhO1ZmhI9/TWUHmMEJFuVIarDeb0BECMfcw3VwO/Aq | ||
Q60+sQKIEq/1LnULIY8uSsRChCuxy8YqQSnmYQIDAQABAoIBAQC/S1L5kd4Ifj+H | ||
7nplm2ufF36xuf4kCSFRjjYicTjQDX+3hVAsJGCLMYLHu6jdwrWJdQ8VUVEVoPcf | ||
fxLiyVmn6YjZ+mB9tXFiIIUDRHMfmVFZcIz5OMMykyOu1cTCJKNKnzahHndHMuEA | ||
2a5SlbJ9FoqrEFbLftjLQwRr46zRxduoF2Znz/XhPMcoOsMoFuUIEtS3kmblW8Zr | ||
UzKkvT2GUb5b19WNIbK/1ZWnkYTh6nTQPNz8FYpNb7ZuS/UfNGP05r+ZbgzmSS8B | ||
Mwl2u2AqXEo15ULjEP8XQpmQXDbaOAjZHzF0nqx2Sw7iY9MfAarIekGLVRJ+LRwA | ||
mkT8TPuRAoGBAP+20Ah6SCJN4DpDLC/Zu/2rRanpxxyk1awseFlfNOPegAuM+Gic | ||
fHeUDYooHxZwbowAjyo4o36rnHJJi8ZniTHZG9ddy9U75TgVZK4Xr7MkmmOCpv1Q | ||
50BTxsnWir3pTspgWCZ8oXmyvNJV/hl0fGqFW3WxI41upMM6w3uSMdvnAoGBAOQl | ||
1dgXh+Qo8DhAaWmhmDLpcfWD2XB3rhZxQfbYCC+oyrQgpgyQpOEgmPKcjDrsToRK | ||
Ze08O3t5inrvyH41THhByDfV6pxZSGRPoBxr1ZMej6V50FFHctQbDqDhmBdlKpkx | ||
3ryGBrhUxjwklg915UwvZc1iewYdZxd0JeST+CJ3AoGBALbU9QU6uRyd5baClLNZ | ||
0InczaBhIBYg3Q2PdjUgV2adjZu0nV/ekzfESbIAYcnfdYrwU2xytqM4/FDSuPeQ | ||
y40ymC9yRu0dOBTTZvr6wIsrnp+LqO3xzIY34CgsF2MVz1nvbNeHwMSMwWj6RwXY | ||
PaTD2NLbZnoXJALany5ZJwD9AoGAVKqZ1my9GHX819NHi1TVx6cMjIFWsz8m0ttL | ||
EJERUKaCOyCWnrkbBxTyza48+Czz4nI9qzGcHXF4a7EKpZOgAkzfQaFYRJd5nwhR | ||
sdpu0v8XbeBr543tVjuITToLGDuJ+HoiX7IZUlTbkDw/mBM3efNpAzRV1WoZ9QE8 | ||
grxK7HcCgYAT0dGsFd1RY+m/Ik/jTxRDSi7zLLtyZO8AsGsfqsm0b8GhTTlXzEmH | ||
kgp75/W058vjc7H1PY7FNr5neUn/Dtom2YtJRhANK/dhzh+RDSfFgbCX+VHTwh1a | ||
nb7F25+bEhlvfe5yLb+O6ZzbsL/EdJYg0BoHCgTI2bZJkzRtAzdHuA== | ||
-----END RSA PRIVATE KEY----- | ||
-----BEGIN CERTIFICATE----- | ||
MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL | ||
BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN | ||
MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv | ||
eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC | ||
AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i | ||
0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 | ||
B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU | ||
KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr | ||
9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC | ||
iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB | ||
/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE | ||
FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S | ||
Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo | ||
WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB | ||
vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 | ||
7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 | ||
cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA | ||
+PqFqfsCDYU1 | ||
-----END CERTIFICATE----- |
14 changes: 14 additions & 0 deletions
14
modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
|
||
-----BEGIN DH PARAMETERS----- | ||
MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3 | ||
O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv | ||
j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ | ||
Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB | ||
chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC | ||
ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq | ||
o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX | ||
IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv | ||
A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8 | ||
6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I | ||
rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI= | ||
-----END DH PARAMETERS----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,5 +13,6 @@ _: { | |
(import ./qemu) | ||
(import ./nm-launcher) | ||
(import ./labwc) | ||
(import ./mitmweb-ui) | ||
]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
(final: _prev: { | ||
mitmweb-ui = final.callPackage ../../../packages/mitmweb-ui {}; | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
{ | ||
stdenvNoCC, | ||
pkgs, | ||
lib, | ||
... | ||
}: let | ||
waypipePort = 1100; # TODO: remove hardcoded port number | ||
nmLauncher = | ||
pkgs.writeShellScript | ||
"mitmweb-ui" | ||
'' | ||
# Create ssh-tunnel between chromium-vm and ids-vm | ||
${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ | ||
-o StrictHostKeyChecking=no \ | ||
-t ghaf@chromium-vm.ghaf \ | ||
${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \ | ||
-f -N -L 8081:localhost:8081 ghaf@192.168.100.3 | ||
# TODO: check pipe creation failures | ||
# Launch chromium application and open mitmweb page | ||
${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm.ghaf \ | ||
${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \ | ||
chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \ | ||
http://localhost:8081 | ||
# Use the control socket to close the ssh tunnel between chromium-vm and ids-vm | ||
${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ | ||
-o StrictHostKeyChecking=no \ | ||
-t ghaf@chromium-vm.ghaf \ | ||
${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@192.168.100.3 | ||
''; | ||
in | ||
stdenvNoCC.mkDerivation { | ||
name = "mitmweb-ui"; | ||
|
||
phases = ["installPhase"]; | ||
|
||
installPhase = '' | ||
mkdir -p $out/bin | ||
cp ${nmLauncher} $out/bin/mitmweb-ui | ||
''; | ||
|
||
meta = with lib; { | ||
description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication."; | ||
platforms = [ | ||
"x86_64-linux" | ||
]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters