pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / opensnitch.nix
at 25.11-pre 2.1 kB view raw
1import ./make-test-python.nix ( 2 { pkgs, lib, ... }: 3 let 4 monitorMethods = [ 5 "ebpf" 6 "proc" 7 "ftrace" 8 "audit" 9 ]; 10 in 11 { 12 name = "opensnitch"; 13 14 meta = with pkgs.lib.maintainers; { 15 maintainers = [ onny ]; 16 }; 17 18 nodes = 19 { 20 server = { 21 networking.firewall.allowedTCPPorts = [ 80 ]; 22 services.caddy = { 23 enable = true; 24 virtualHosts."localhost".extraConfig = '' 25 respond "Hello, world!" 26 ''; 27 }; 28 }; 29 } 30 // (lib.listToAttrs ( 31 map ( 32 m: 33 lib.nameValuePair "client_blocked_${m}" { 34 services.opensnitch = { 35 enable = true; 36 settings.DefaultAction = "deny"; 37 settings.ProcMonitorMethod = m; 38 }; 39 } 40 ) monitorMethods 41 )) 42 // (lib.listToAttrs ( 43 map ( 44 m: 45 lib.nameValuePair "client_allowed_${m}" { 46 services.opensnitch = { 47 enable = true; 48 settings.DefaultAction = "deny"; 49 settings.ProcMonitorMethod = m; 50 rules = { 51 curl = { 52 name = "curl"; 53 enabled = true; 54 action = "allow"; 55 duration = "always"; 56 operator = { 57 type = "simple"; 58 sensitive = false; 59 operand = "process.path"; 60 data = "${pkgs.curl}/bin/curl"; 61 }; 62 }; 63 }; 64 }; 65 } 66 ) monitorMethods 67 )); 68 69 testScript = 70 '' 71 start_all() 72 server.wait_for_unit("caddy.service") 73 server.wait_for_open_port(80) 74 '' 75 + lib.concatLines ( 76 map (m: '' 77 client_blocked_${m}.wait_for_unit("opensnitchd.service") 78 client_blocked_${m}.fail("curl http://server") 79 80 client_allowed_${m}.wait_for_unit("opensnitchd.service") 81 client_allowed_${m}.succeed("curl http://server") 82 '') monitorMethods 83 ); 84 } 85)