nixos/tests/opensnitch.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / opensnitch.nix
at 23.11-beta 1.5 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... }: {
 2  name = "opensnitch";
 3
 4  meta = with pkgs.lib.maintainers; {
 5    maintainers = [ onny ];
 6  };
 7
 8  nodes = {
 9    server =
10      { ... }: {
11        networking.firewall.allowedTCPPorts = [ 80 ];
12        services.caddy = {
13          enable = true;
14          virtualHosts."localhost".extraConfig = ''
15            respond "Hello, world!"
16          '';
17        };
18      };
19
20    clientBlocked =
21      { ... }: {
22        services.opensnitch = {
23          enable = true;
24          settings.DefaultAction = "deny";
25        };
26      };
27
28    clientAllowed =
29      { ... }: {
30        services.opensnitch = {
31          enable = true;
32          settings.DefaultAction = "deny";
33          rules = {
34            opensnitch = {
35              name = "curl";
36              enabled = true;
37              action = "allow";
38              duration = "always";
39              operator = {
40                type ="simple";
41                sensitive = false;
42                operand = "process.path";
43                data = "${pkgs.curl}/bin/curl";
44              };
45            };
46          };
47        };
48      };
49  };
50
51  testScript = ''
52    start_all()
53    server.wait_for_unit("caddy.service")
54    server.wait_for_open_port(80)
55
56    clientBlocked.wait_for_unit("opensnitchd.service")
57    clientBlocked.fail("curl http://server")
58
59    clientAllowed.wait_for_unit("opensnitchd.service")
60    clientAllowed.succeed("curl http://server")
61  '';
62})