me
/
guix
Archived
1
0
Fork 0
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues/pull-requests.
guix/gnu/services/security.scm

412 lines
16 KiB
Scheme
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2022 muradm <mail@muradm.net>
;;; Copyright © 2022 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services security)
#:use-module (gnu packages admin)
#:use-module (gnu services)
#:use-module (gnu services configuration)
#:use-module (gnu services shepherd)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix ui)
#:use-module (ice-9 format)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:export (fail2ban-configuration
fail2ban-ignore-cache-configuration
fail2ban-jail-action-configuration
fail2ban-jail-configuration
fail2ban-jail-filter-configuration
fail2ban-jail-service
fail2ban-service-type))
(define-configuration/no-serialization fail2ban-ignore-cache-configuration
(key string "Cache key.")
(max-count integer "Cache size.")
(max-time integer "Cache time."))
(define serialize-fail2ban-ignore-cache-configuration
(match-lambda
(($ <fail2ban-ignore-cache-configuration> _ key max-count max-time)
(format #f "key=\"~a\", max-count=~d, max-time=~d"
key max-count max-time))))
(define-maybe/no-serialization string)
(define-configuration/no-serialization fail2ban-jail-filter-configuration
(name string "Filter to use.")
(mode maybe-string "Mode for filter."))
(define serialize-fail2ban-jail-filter-configuration
(match-lambda
(($ <fail2ban-jail-filter-configuration> _ name mode)
(format #f "~a~@[[mode=~a]~]" name (maybe-value mode)))))
(define (argument? a)
(and (pair? a)
(string? (car a))
(or (string? (cdr a))
(list-of-strings? (cdr a)))))
(define list-of-arguments? (list-of argument?))
(define-configuration/no-serialization fail2ban-jail-action-configuration
(name string "Action name.")
(arguments (list-of-arguments '()) "Action arguments."))
(define list-of-fail2ban-jail-actions?
(list-of fail2ban-jail-action-configuration?))
(define (serialize-fail2ban-jail-action-configuration-arguments args)
(let* ((multi-value
(lambda (v)
(format #f "~a" (string-join v ","))))
(any-value
(lambda (v)
(if (list? v) (string-append "\"" (multi-value v) "\"") v)))
(key-value
(lambda (e)
(format #f "~a=~a" (car e) (any-value (cdr e))))))
(format #f "~a" (string-join (map key-value args) ","))))
(define serialize-fail2ban-jail-action-configuration
(match-lambda
(($ <fail2ban-jail-action-configuration> _ name arguments)
(format
#f "~a~a"
name
(if (null? arguments) ""
(format
#f "[~a]"
(serialize-fail2ban-jail-action-configuration-arguments
arguments)))))))
(define fail2ban-backend->string
(match-lambda
('auto "auto")
('pyinotify "pyinotify")
('gamin "gamin")
('polling "polling")
('systemd "systemd")
(unknown
(leave (G_ "fail2ban: '~a' is not a supported backend~%") unknown))))
(define fail2ban-log-encoding->string
(match-lambda
('auto "auto")
('utf-8 "utf-8")
('ascii "ascii")
(unknown
(leave (G_ "fail2ban: '~a' is not a supported log encoding~%") unknown))))
(define (fail2ban-jail-configuration-serialize-field-name name)
(cond ((symbol? name)
(fail2ban-jail-configuration-serialize-field-name
(symbol->string name)))
((string-suffix? "?" name)
(fail2ban-jail-configuration-serialize-field-name
(string-drop-right name 1)))
((string-prefix? "ban-time-" name)
(fail2ban-jail-configuration-serialize-field-name
(string-append "bantime." (substring name 9))))
((string-contains name "-")
(fail2ban-jail-configuration-serialize-field-name
(string-filter (lambda (c) (not (equal? c #\-))) name)))
(else name)))
(define (fail2ban-jail-configuration-serialize-string field-name value)
#~(string-append
#$(fail2ban-jail-configuration-serialize-field-name field-name)
" = " #$value "\n"))
(define (fail2ban-jail-configuration-serialize-integer field-name value)
(fail2ban-jail-configuration-serialize-string
field-name (number->string value)))
(define (fail2ban-jail-configuration-serialize-boolean field-name value)
(fail2ban-jail-configuration-serialize-string
field-name (if value "true" "false")))
(define (fail2ban-jail-configuration-serialize-backend field-name value)
(if (maybe-value-set? value)
(fail2ban-jail-configuration-serialize-string
field-name (fail2ban-backend->string value))
""))
(define (fail2ban-jail-configuration-serialize-fail2ban-ignore-cache-configuration field-name value)
(fail2ban-jail-configuration-serialize-string
field-name (serialize-fail2ban-ignore-cache-configuration value)))
(define (fail2ban-jail-configuration-serialize-fail2ban-jail-filter-configuration field-name value)
(fail2ban-jail-configuration-serialize-string
field-name (serialize-fail2ban-jail-filter-configuration value)))
(define (fail2ban-jail-configuration-serialize-log-encoding field-name value)
(if (maybe-value-set? value)
(fail2ban-jail-configuration-serialize-string
field-name (fail2ban-log-encoding->string value))
""))
(define (fail2ban-jail-configuration-serialize-list-of-strings field-name value)
(if (null? value)
""
(fail2ban-jail-configuration-serialize-string
field-name (string-join value " "))))
(define (fail2ban-jail-configuration-serialize-list-of-fail2ban-jail-actions field-name value)
(if (null? value)
""
(fail2ban-jail-configuration-serialize-string
field-name (string-join
(map serialize-fail2ban-jail-action-configuration value) "\n"))))
(define (fail2ban-jail-configuration-serialize-symbol field-name value)
(fail2ban-jail-configuration-serialize-string field-name (symbol->string value)))
(define-maybe integer (prefix fail2ban-jail-configuration-))
(define-maybe string (prefix fail2ban-jail-configuration-))
(define-maybe boolean (prefix fail2ban-jail-configuration-))
(define-maybe symbol (prefix fail2ban-jail-configuration-))
(define-maybe fail2ban-ignore-cache-configuration (prefix fail2ban-jail-configuration-))
(define-maybe fail2ban-jail-filter-configuration (prefix fail2ban-jail-configuration-))
(define-configuration fail2ban-jail-configuration
(name
string
"Required name of this jail configuration."
empty-serializer)
(enabled?
(boolean #t)
"Whether this jail is enabled.")
(backend
maybe-symbol
"Backend to use to detect changes in the @code{log-path}. The default is
'auto. To consult the defaults of the jail configuration, refer to the
@file{/etc/fail2ban/jail.conf} file of the @code{fail2ban} package."
fail2ban-jail-configuration-serialize-backend)
(max-retry
maybe-integer
"The number of failures before a host get banned
(e.g. @code{(max-retry 5)}).")
(max-matches
maybe-integer
"The number of matches stored in ticket (resolvable via
tag @code{<matches>}) in action.")
(find-time
maybe-string
"The time window during which the maximum retry count must be reached for
an IP address to be banned. A host is banned if it has generated
@code{max-retry} during the last @code{find-time}
seconds (e.g. @code{(find-time \"10m\")}). It can be provided in seconds or
using Fail2Ban's \"time abbreviation format\", as described in @command{man 5
jail.conf}.")
(ban-time
maybe-string
"The duration, in seconds or time abbreviated format, that a ban should last.
(e.g. @code{(ban-time \"10m\")}).")
(ban-time-increment?
maybe-boolean
"Whether to consider past bans to compute increases to the default ban time
of a specific IP address.")
(ban-time-factor
maybe-string
"The coefficient to use to compute an exponentially growing ban time.")
(ban-time-formula
maybe-string
"This is the formula used to calculate the next value of a ban time.")
(ban-time-multipliers
maybe-string
"Used to calculate next value of ban time instead of formula.")
(ban-time-max-time
maybe-string
"The maximum number of seconds a ban should last.")
(ban-time-rnd-time
maybe-string
"The maximum number of seconds a randomized ban time should last. This can
be useful to stop ``clever'' botnets calculating the exact time an IP address
can be unbanned again.")
(ban-time-overall-jails?
maybe-boolean
"When true, it specifies the search of an IP address in the database should
be made across all jails. Otherwise, only the current jail of the ban IP
address is considered.")
(ignore-self?
maybe-boolean
"Never ban the local machine's own IP address.")
(ignore-ip
(list-of-strings '())
"A list of IP addresses, CIDR masks or DNS hosts to ignore.
@code{fail2ban} will not ban a host which matches an address in this list.")
(ignore-cache
maybe-fail2ban-ignore-cache-configuration
"Provide cache parameters for the ignore failure check.")
(filter
maybe-fail2ban-jail-filter-configuration
"The filter to use by the jail, specified via a
@code{<fail2ban-jail-filter-configuration>} object. By default, jails have
names matching their filter name.")
(log-time-zone
maybe-string
"The default time zone for log lines that do not have one.")
(log-encoding
maybe-symbol
"The encoding of the log files handled by the jail.
Possible values are: @code{'ascii}, @code{'utf-8} and @code{'auto}."
fail2ban-jail-configuration-serialize-log-encoding)
(log-path
(list-of-strings '())
"The file names of the log files to be monitored.")
(action
(list-of-fail2ban-jail-actions '())
"A list of @code{<fail2ban-jail-action-configuration>}.")
(extra-content
(text-config '())
"Extra content for the jail configuration, provided as a list of file-like
objects."
serialize-text-config)
(prefix fail2ban-jail-configuration-))
(define list-of-fail2ban-jail-configurations?
(list-of fail2ban-jail-configuration?))
(define (serialize-fail2ban-jail-configuration config)
#~(string-append
#$(format #f "[~a]\n" (fail2ban-jail-configuration-name config))
#$(serialize-configuration
config fail2ban-jail-configuration-fields)))
(define-configuration/no-serialization fail2ban-configuration
(fail2ban
(package fail2ban)
"The @code{fail2ban} package to use. It is used for both binaries and as
base default configuration that is to be extended with
@code{<fail2ban-jail-configuration>} objects.")
(run-directory
(string "/var/run/fail2ban")
"The state directory for the @code{fail2ban} daemon.")
(jails
(list-of-fail2ban-jail-configurations '())
"Instances of @code{<fail2ban-jail-configuration>} collected from
extensions.")
(extra-jails
(list-of-fail2ban-jail-configurations '())
"Instances of @code{<fail2ban-jail-configuration>} explicitly provided.")
(extra-content
(text-config '())
"Extra raw content to add to the end of the @file{jail.local} file,
provided as a list of file-like objects."))
(define (serialize-fail2ban-configuration config)
(let* ((jails (fail2ban-configuration-jails config))
(extra-jails (fail2ban-configuration-extra-jails config))
(extra-content (fail2ban-configuration-extra-content config)))
(interpose
(append (map serialize-fail2ban-jail-configuration
(append jails extra-jails))
(list (serialize-text-config 'extra-content extra-content))))))
(define (config->fail2ban-etc-directory config)
(let* ((fail2ban (fail2ban-configuration-fail2ban config))
(jail-local (apply mixed-text-file "jail.local"
(serialize-fail2ban-configuration config))))
(directory-union
"fail2ban-configuration"
(list (computed-file
"etc-fail2ban"
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(let ((etc (string-append #$output "/etc")))
(mkdir-p etc)
(symlink #$(file-append fail2ban "/etc/fail2ban")
(string-append etc "/fail2ban"))))))
(computed-file
"etc-fail2ban-jail.local"
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(define etc/fail2ban (string-append #$output
"/etc/fail2ban"))
(mkdir-p etc/fail2ban)
(symlink #$jail-local (string-append etc/fail2ban
"/jail.local")))))))))
(define (fail2ban-shepherd-service config)
(match-record config <fail2ban-configuration>
(fail2ban run-directory)
(let* ((fail2ban-server (file-append fail2ban "/bin/fail2ban-server"))
(fail2ban-client (file-append fail2ban "/bin/fail2ban-client"))
(pid-file (in-vicinity run-directory "fail2ban.pid"))
(socket-file (in-vicinity run-directory "fail2ban.sock"))
(config-dir (file-append (config->fail2ban-etc-directory config)
"/etc/fail2ban"))
(fail2ban-action (lambda args
#~(invoke #$fail2ban-client #$@args))))
;; TODO: Add 'reload' action (see 'fail2ban.service.in' in the source).
(list (shepherd-service
(provision '(fail2ban))
(documentation "Run the fail2ban daemon.")
(requirement '(user-processes))
(start #~(make-forkexec-constructor
(list #$fail2ban-server
"-c" #$config-dir "-s" #$socket-file
"-p" #$pid-file "-xf" "start")
#:pid-file #$pid-file))
(stop #~(lambda (_)
#$(fail2ban-action "stop")
#f))))))) ;successfully stopped
(define fail2ban-service-type
(service-type (name 'fail2ban)
(extensions
(list (service-extension shepherd-root-service-type
fail2ban-shepherd-service)))
(compose concatenate)
(extend (lambda (config jails)
(fail2ban-configuration
(inherit config)
(jails (append (fail2ban-configuration-jails config)
jails)))))
(default-value (fail2ban-configuration))
(description "Run the fail2ban server.")))
(define (fail2ban-jail-service svc-type jail)
"Convenience procedure to add a fail2ban service extension to SVC-TYPE, a
<service-type> object. The fail2ban extension is specified by JAIL, a
<fail2ban-jail-configuration> object."
(service-type
(inherit svc-type)
(extensions
(append (service-type-extensions svc-type)
(list (service-extension fail2ban-service-type
(lambda _ (list jail))))))))
;;;
;;; Documentation generation.
;;;
(define (generate-doc)
(configuration->documentation 'fail2ban-configuration)
(configuration->documentation 'fail2ban-ignore-cache-configuration)
(configuration->documentation 'fail2ban-jail-action-configuration)
(configuration->documentation 'fail2ban-jail-configuration)
(configuration->documentation 'fail2ban-jail-filter-configuration))