haka: remove

  - `pytestFlagsArray` and `unittestFlagsArray` are kept for compatibility purposes. They continue to be Bash-expanded before concatenated. This compatibility layer will be removed in future releases.

- The `haka` package and module has been removed because the package was broken and unmaintained for 9 years.

- `strawberry` has been updated to 1.2, which drops support for the VLC backend and Qt 5. The `strawberry-qt5` package

  and `withGstreamer`/`withVlc` override options have been removed due to this.

  ./services/security/esdm.nix

  ./services/security/fail2ban.nix

  ./services/security/fprintd.nix

  ./services/security/haka.nix

  ./services/security/haveged.nix

  ./services/security/hockeypuck.nix

  ./services/security/hologram-agent.nix

      See https://www.isc.org/blogs/isc-dhcp-eol/ for details.

      Please switch to a different implementation like kea or dnsmasq.

    '')

    (mkRemovedOptionModule [ "services" "haka" ] ''

      The corresponding package was broken and removed from nixpkgs.

    '')

    (mkRemovedOptionModule [ "services" "tedicross" ] ''

      The corresponding package was broken and removed from nixpkgs.

    '')

# This module defines global configuration for Haka.

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.haka;

  haka = cfg.package;

  hakaConf = pkgs.writeText "haka.conf" ''

    [general]

    configuration = ${

      if lib.strings.hasPrefix "/" cfg.configFile then

        "${cfg.configFile}"

      else

        "${haka}/share/haka/sample/${cfg.configFile}"

    }

    ${lib.optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"}

    [packet]

    ${lib.optionalString cfg.pcap ''module = "packet/pcap"''}

    ${lib.optionalString cfg.nfqueue ''module = "packet/nqueue"''}

    ${lib.optionalString cfg.dump.enable ''dump = "yes"''}

    ${lib.optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''}

    ${lib.optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''}

    interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}"

    [log]

    # Select the log module

    module = "log/syslog"

    # Set the default logging level

    #level = "info,packet=debug"

    [alert]

    # Select the alert module

    module = "alert/syslog"

    # Disable alert on standard output

    #alert_on_stdout = no

    # alert/file module option

    #file = "/dev/null"

  '';

in

{

  ###### interface

  options = {

    services.haka = {

      enable = lib.mkEnableOption "Haka";

      package = lib.mkPackageOption pkgs "haka" { };

      configFile = lib.mkOption {

        default = "empty.lua";

        example = "/srv/haka/myfilter.lua";

        type = lib.types.str;

        description = ''

          Specify which configuration file Haka uses.

          It can be absolute path or a path relative to the sample directory of

          the haka git repo.

        '';

      };

      interfaces = lib.mkOption {

        default = [ "eth0" ];

        example = [ "any" ];

        type = with lib.types; listOf str;

        description = ''

          Specify which interface(s) Haka listens to.

          Use 'any' to listen to all interfaces.

        '';

      };

      threads = lib.mkOption {

        default = 0;

        example = 4;

        type = lib.types.int;

        description = ''

          The number of threads that will be used.

          All system threads are used by default.

        '';

      };

      pcap = lib.mkOption {

        default = true;

        type = lib.types.bool;

        description = "Whether to enable pcap";

      };

      nfqueue = lib.mkEnableOption "nfqueue";

      dump.enable = lib.mkEnableOption "dump";

      dump.input = lib.mkOption {

        default = "/tmp/input.pcap";

        example = "/path/to/file.pcap";

        type = lib.types.path;

        description = "Path to file where incoming packets are dumped";

      };

      dump.output = lib.mkOption {

        default = "/tmp/output.pcap";

        example = "/path/to/file.pcap";

        type = lib.types.path;

        description = "Path to file where outgoing packets are dumped";

      };

    };

  };

  ###### implementation

  config = lib.mkIf cfg.enable {

    assertions = [

      {

        assertion = cfg.pcap != cfg.nfqueue;

        message = "either pcap or nfqueue can be enabled, not both.";

      }

      {

        assertion = cfg.nfqueue -> !cfg.dump.enable;

        message = "dump can only be used with nfqueue.";

      }

      {

        assertion = cfg.interfaces != [ ];

        message = "at least one interface must be specified.";

      }

    ];

    environment.systemPackages = [ haka ];

    systemd.services.haka = {

      description = "Haka";

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      serviceConfig = {

        ExecStart = "${haka}/bin/haka -c ${hakaConf}";

        ExecStop = "${haka}/bin/hakactl stop";

        User = "root";

        Type = "forking";

      };

    };

  };

}

# This test runs haka and probes it with hakactl

import ./make-test-python.nix (

  { pkgs, ... }:

  {

    name = "haka";

    meta = with pkgs.lib.maintainers; {

      maintainers = [ tvestelind ];

    };

    nodes = {

      haka =

        { ... }:

        {

          services.haka.enable = true;

        };

    };

    testScript = ''

      start_all()

      haka.wait_for_unit("haka.service")

      haka.succeed("hakactl status")

      haka.succeed("hakactl stop")

    '';

  }

)