commit 5897ff97e265d7257c124138884d071a00fcade4 · pyrox.dev/nixpkgs

+17 -28

nixos/modules/services/security/paretosecurity.nix

···

       14
       14
        
       

     

       15
       15
        
         config = lib.mkIf config.services.paretosecurity.enable {

     

       16
       16
        
           environment.systemPackages = [ config.services.paretosecurity.package ];

     

       17
       17
       +
           systemd.packages = [ config.services.paretosecurity.package ];

     

       17
       18
        
       

     

       18
       18
       -
           systemd.sockets."paretosecurity" = {

     

       19
       19
       -
             wantedBy = [ "sockets.target" ];

     

       20
       20
       -
             socketConfig = {

     

       21
       21
       -
               ListenStream = "/var/run/paretosecurity.sock";

     

       22
       22
       -
               SocketMode = "0666";

     

       19
       19
       +
           # In traditional Linux distributions, systemd would read the [Install] section from

     

       20
       20
       +
           # unit files and automatically create the appropriate symlinks to enable services.

     

       21
       21
       +
           # However, in NixOS, due to its immutable nature and the way the Nix store works,

     

       22
       22
       +
           # the [Install] sections are not processed during system activation. Instead, we

     

       23
       23
       +
           # must explicitly tell NixOS which units to enable by specifying their target

     

       24
       24
       +
           # dependencies here. This creates the necessary symlinks in the proper locations.

     

       25
       25
       +
           systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];

     

       26
       26
       +
       

     

       27
       27
       +
           # Enable the tray icon and timer services if the trayIcon option is enabled

     

       28
       28
       +
           systemd.user = lib.mkIf config.services.paretosecurity.trayIcon {

     

       29
       29
       +
             services.paretosecurity-trayicon = {

     

       30
       30
       +
               wantedBy = [ "graphical-session.target" ];

     

       23
       31
        
             };

     

       24
       24
       -
           };

     

       25
       25
       -
       

     

       26
       26
       -
           systemd.services."paretosecurity" = {

     

       27
       27
       -
             serviceConfig = {

     

       28
       28
       -
               ExecStart = "${config.services.paretosecurity.package}/bin/paretosecurity helper";

     

       29
       29
       -
               User = "root";

     

       30
       30
       -
               Group = "root";

     

       31
       31
       -
               StandardInput = "socket";

     

       32
       32
       -
               Type = "oneshot";

     

       33
       33
       -
               RemainAfterExit = "no";

     

       34
       34
       -
               StartLimitInterval = "1s";

     

       35
       35
       -
               StartLimitBurst = 100;

     

       36
       36
       -
               ProtectSystem = "full";

     

       37
       37
       -
               ProtectHome = true;

     

       38
       38
       -
               StandardOutput = "journal";

     

       39
       39
       -
               StandardError = "journal";

     

       32
       32
       +
             services.paretosecurity-user = {

     

       33
       33
       +
               wantedBy = [ "graphical-session.target" ];

     

       40
       34
        
             };

     

       41
       41
       -
           };

     

       42
       42
       -
       

     

       43
       43
       -
           systemd.user.services."paretosecurity-trayicon" = lib.mkIf config.services.paretosecurity.trayIcon {

     

       44
       44
       -
             wantedBy = [ "graphical-session.target" ];

     

       45
       45
       -
             serviceConfig = {

     

       46
       46
       -
               ExecStart = "${config.services.paretosecurity.package}/bin/paretosecurity trayicon";

     

       35
       35
       +
             timers.paretosecurity-user = {

     

       36
       36
       +
               wantedBy = [ "timers.target" ];

     

       47
       37
        
             };

     

       48
       38
        
           };

     

       49
       49
       -
       

     

       50
       39
        
         };

     

       51
       40
        
       }

+68 -3

nixos/tests/paretosecurity.nix

···

       4
       4
        
         meta.maintainers = [ lib.maintainers.zupo ];

     

       5
       5
        
       

     

       6
       6
        
         nodes.terminal =

     

       7
       7
       -
           { config, pkgs, ... }:

     

       7
       7
       +
           {

     

       8
       8
       +
             config,

     

       9
       9
       +
             pkgs,

     

       10
       10
       +
             lib,

     

       11
       11
       +
             ...

     

       12
       12
       +
           }:

     

       13
       13
       +
           let

     

       14
       14
       +
             # Create a patched version of the package that points to the local dashboard

     

       15
       15
       +
             # for easier testing

     

       16
       16
       +
             patchedPareto = pkgs.paretosecurity.overrideAttrs (oldAttrs: {

     

       17
       17
       +
               postPatch = ''

     

       18
       18
       +
                 substituteInPlace team/report.go \

     

       19
       19
       +
                   --replace-warn 'const reportURL = "https://dash.paretosecurity.com"' \

     

       20
       20
       +
                                  'const reportURL = "http://dashboard"'

     

       21
       21
       +
               '';

     

       22
       22
       +
             });

     

       23
       23
       +
           in

     

       8
       24
        
           {

     

       9
       25
        
             imports = [ ./common/user-account.nix ];

     

       10
       26
        
       

     

       11
       11
       -
             services.paretosecurity.enable = true;

     

       27
       27
       +
             services.paretosecurity = {

     

       28
       28
       +
               enable = true;

     

       29
       29
       +
               package = patchedPareto;

     

       30
       30
       +
             };

     

       31
       31
       +
       

     

       32
       32
       +
           };

     

       33
       33
       +
       

     

       34
       34
       +
         nodes.dashboard =

     

       35
       35
       +
           { config, pkgs, ... }:

     

       36
       36
       +
           {

     

       37
       37
       +
             networking.firewall.allowedTCPPorts = [ 80 ];

     

       38
       38
       +
       

     

       39
       39
       +
             services.nginx = {

     

       40
       40
       +
               enable = true;

     

       41
       41
       +
               virtualHosts."dashboard" = {

     

       42
       42
       +
                 locations."/api/v1/team/".extraConfig = ''

     

       43
       43
       +
                   add_header Content-Type application/json;

     

       44
       44
       +
                   return 200 '{"message": "Linked device."}';

     

       45
       45
       +
                 '';

     

       46
       46
       +
               };

     

       47
       47
       +
             };

     

       12
       48
        
           };

     

       13
       49
        
       

     

       14
       50
        
         nodes.xfce =

     
···

       38
       74
        
         enableOCR = true;

     

       39
       75
        
       

     

       40
       76
        
         testScript = ''

     

       77
       77
       +
           # Test setup

     

       78
       78
       +
           terminal.succeed("su - alice -c 'mkdir -p /home/alice/.config'")

     

       79
       79
       +
           for m in [terminal, dashboard]:

     

       80
       80
       +
             m.systemctl("start network-online.target")

     

       81
       81
       +
             m.wait_for_unit("network-online.target")

     

       82
       82
       +
       

     

       83
       83
       +
           # Test 1: Test the systemd socket is installed & enabled

     

       84
       84
       +
           terminal.succeed('systemctl is-enabled paretosecurity.socket')

     

       85
       85
       +
       

     

       86
       86
       +
           # Test 2: Test running checks

     

       41
       87
        
           terminal.succeed(

     

       42
       42
       -
             "su -- alice -c 'paretosecurity check"

     

       88
       88
       +
             "su - alice -c 'paretosecurity check"

     

       43
       89
        
             # Disable some checks that need intricate test setup so that this test

     

       44
       90
        
             # remains simple and fast. Tests for all checks and edge cases available

     

       45
       91
        
             # at https://github.com/ParetoSecurity/agent/tree/main/test/integration

     
···

       48
       94
        
             + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb"  # Disk encryption

     

       49
       95
        
             + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e"  # Pareto Security is up to date

     

       50
       96
        
             + " --skip f962c423-fdf5-428a-a57a-827abc9b253e"  # Password manager installed

     

       97
       97
       +
             + " --skip 2e46c89a-5461-4865-a92e-3b799c12034a"  # Firewall is enabled

     

       51
       98
        
             + "'"

     

       52
       99
        
           )

     

       53
       100
        
       

     

       101
       101
       +
           # Test 3: Test linking

     

       102
       102
       +
           terminal.succeed("su - alice -c 'paretosecurity link"

     

       103
       103
       +
           + " paretosecurity://enrollTeam/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."

     

       104
       104
       +
           + "eyJ0b2tlbiI6ImR1bW15LXRva2VuIiwidGVhbUlEIjoiZHVtbXktdGVhbS1pZCIsImlhdCI6"

     

       105
       105
       +
           + "MTcwMDAwMDAwMCwiZXhwIjoxOTAwMDAwMDAwfQ.WgnL6_S0EBJHwF1wEVUG8GtIcoVvK5IjWbZpUeZr4Qw'")

     

       106
       106
       +
       

     

       107
       107
       +
           config = terminal.succeed("cat /home/alice/.config/pareto.toml")

     

       108
       108
       +
           assert 'AuthToken = "dummy-token"' in config

     

       109
       109
       +
           assert 'TeamID = "dummy-team-id"' in config

     

       110
       110
       +
       

     

       111
       111
       +
           # Test 4: Test the tray icon

     

       54
       112
        
           xfce.wait_for_x()

     

       113
       113
       +
           for unit in [

     

       114
       114
       +
               'paretosecurity-trayicon',

     

       115
       115
       +
               'paretosecurity-user',

     

       116
       116
       +
               'paretosecurity-user.timer'

     

       117
       117
       +
           ]:

     

       118
       118
       +
               status, out = xfce.systemctl("is-enabled " + unit, "alice")

     

       119
       119
       +
               assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"

     

       55
       120
        
           xfce.succeed("xdotool mousemove 850 10")

     

       56
       121
        
           xfce.wait_for_text("Pareto Security")

     

       57
       122
        
           xfce.succeed("xdotool click 1")

+23 -9

pkgs/by-name/pa/paretosecurity/package.nix

···

       9
       9
        
       

     

       10
       10
        
       buildGoModule rec {

     

       11
       11
        
         pname = "paretosecurity";

     

       12
       12
       -
         version = "0.0.91";

     

       12
       12
       +
         version = "0.0.96";

     

       13
       13
        
       

     

       14
       14
        
         src = fetchFromGitHub {

     

       15
       15
        
           owner = "ParetoSecurity";

     

       16
       16
        
           repo = "agent";

     

       17
       17
        
           rev = version;

     

       18
       18
       -
           hash = "sha256-/kGwV96Jp7U08jh/wPQMcoV48zQe9ixY7gpNdtFyOkk=";

     

       18
       18
       +
           hash = "sha256-SyeIGSDvrnOvyOJ0zC8CulpaMa+iZeRaMTJUSydz2tw=";

     

       19
       19
        
         };

     

       20
       20
        
       

     

       21
       21
       -
         vendorHash = "sha256-kGrYoN0dGcSuQW47Y4LUFdHQYAoY74NOM1LLPdhmLhc=";

     

       21
       21
       +
         vendorHash = "sha256-O/OF3Y6HiiikMxf657k9eIM7UfkicIImAUxVVf/TgR8=";

     

       22
       22
        
         proxyVendor = true;

     

       23
       23
        
       

     

       24
       24
       -
         subPackages = [

     

       25
       25
       -
           "cmd/paretosecurity"

     

       26
       26
       -
         ];

     

       27
       27
       -
       

     

       28
       24
        
         ldflags = [

     

       29
       25
        
           "-s"

     

       30
       26
        
           "-X=github.com/ParetoSecurity/agent/shared.Version=${version}"

     
···

       32
       28
        
           "-X=github.com/ParetoSecurity/agent/shared.Date=1970-01-01T00:00:00Z"

     

       33
       29
        
         ];

     

       34
       30
        
       

     

       31
       31
       +
         postInstall = ''

     

       32
       32
       +
           # Install global systemd files

     

       33
       33
       +
           install -Dm400 ${src}/apt/paretosecurity.socket $out/lib/systemd/system/paretosecurity.socket

     

       34
       34
       +
           install -Dm400 ${src}/apt/paretosecurity.service $out/lib/systemd/system/paretosecurity.service

     

       35
       35
       +
           substituteInPlace $out/lib/systemd/system/paretosecurity.service \

     

       36
       36
       +
               --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity"

     

       37
       37
       +
       

     

       38
       38
       +
           # Install user systemd files

     

       39
       39
       +
           install -Dm444 ${src}/apt/paretosecurity-user.timer $out/lib/systemd/user/paretosecurity-user.timer

     

       40
       40
       +
           install -Dm444 ${src}/apt/paretosecurity-user.service $out/lib/systemd/user/paretosecurity-user.service

     

       41
       41
       +
           substituteInPlace $out/lib/systemd/user/paretosecurity-user.service \

     

       42
       42
       +
               --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity"

     

       43
       43
       +
           install -Dm444 ${src}/apt/paretosecurity-trayicon.service $out/lib/systemd/user/paretosecurity-trayicon.service

     

       44
       44
       +
           substituteInPlace $out/lib/systemd/user/paretosecurity-trayicon.service \

     

       45
       45
       +
               --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity"

     

       46
       46
       +
         '';

     

       47
       47
       +
       

     

       35
       48
        
         passthru.tests = {

     

       36
       49
        
           version = testers.testVersion {

     

       37
       50
        
             version = "${version}";

     
···

       50
       63
        
             settings such as if you have disk encryption and firewall enabled.

     

       51
       64
        
       

     

       52
       65
        
             If you use the `services.paretosecurity` NixOS module, you also get a

     

       53
       53
       -
             root helper, so that you can run the checker in userspace. Some checks

     

       66
       66
       +
             root helper that allows you to run the checker in userspace. Some checks

     

       54
       67
        
             require root permissions, and the checker asks the helper to run those.

     

       55
       68
        
       

     

       56
       69
        
             Additionally, if you enable `services.paretosecurity.trayIcon`, you get a

     

       57
       70
        
             little Vilfredo Pareto living in your systray showing your the current

     

       58
       58
       -
             status of checks.

     

       71
       71
       +
             status of checks. This will also enable a systemd timer to update the

     

       72
       72
       +
             status of checks once per hour.

     

       59
       73
        
       

     

       60
       74
        
             Finally, you can run `paretosecurity link` to configure the agent

     

       61
       75
        
             to send the status of checks to https://dash.paretosecurity.com to make