commit 6a1a2fe204da4d45a0d03fe636228ba42265cb79 · pyrox.dev/nixpkgs

+77 -3

nixos/modules/services/security/paretosecurity.nix

···

       17
       17
        
             default = true;

     

       18
       18
        
             description = "Set to false to disable the tray icon and run as a CLI tool only.";

     

       19
       19
        
           };

     

       20
       20
       +
           users = lib.mkOption {

     

       21
       21
       +
             type = lib.types.attrsOf (

     

       22
       22
       +
               lib.types.submodule {

     

       23
       23
       +
                 options = {

     

       24
       24
       +
                   inviteId = lib.mkOption {

     

       25
       25
       +
                     type = lib.types.str;

     

       26
       26
       +
                     description = ''

     

       27
       27
       +
                       A unique ID that links the agent to Pareto Cloud.

     

       28
       28
       +
                       Get it from the Join Team page on `https://cloud.paretosecurity.com/team/join/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

     

       29
       29
       +
                       In Step 2, under Linux tab, enter your email then copy it from the generated command.

     

       30
       30
       +
                     '';

     

       31
       31
       +
                     example = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

     

       32
       32
       +
                   };

     

       33
       33
       +
                 };

     

       34
       34
       +
               }

     

       35
       35
       +
             );

     

       36
       36
       +
             default = { };

     

       37
       37
       +
             description = "Per-user Pareto Security configuration.";

     

       38
       38
       +
           };

     

       20
       39
        
         };

     

       21
       40
        
       

     

       22
       41
        
         config = lib.mkIf cfg.enable {

     
···

       38
       57
        
           # if one is installed.

     

       39
       58
        
           # The `paretosecurity-user` timer service that is configured lower has

     

       40
       59
        
           # the same need.

     

       41
       41
       -
           systemd.services.paretosecurity.serviceConfig.Environment = [

     

       42
       42
       -
             "PATH=${config.system.path}/bin:${config.system.path}/sbin"

     

       43
       43
       -
           ];

     

       60
       60
       +
           systemd.services = {

     

       61
       61
       +
             paretosecurity.serviceConfig.Environment = [

     

       62
       62
       +
               "PATH=${config.system.path}/bin:${config.system.path}/sbin"

     

       63
       63
       +
             ];

     

       64
       64
       +
           }

     

       65
       65
       +
           // (

     

       66
       66
       +
       

     

       67
       67
       +
             # Each user can set their inviteID, which creates a systemd service

     

       68
       68
       +
             # that runs `paretosecurity link ...` to link their device to Pareto Cloud.

     

       69
       69
       +
             lib.mapAttrs' (

     

       70
       70
       +
               username: userConfig:

     

       71
       71
       +
               lib.nameValuePair "paretosecurity-link-${username}" {

     

       72
       72
       +
                 description = "Link Pareto Desktop to Pareto Cloud for user ${username}";

     

       73
       73
       +
                 after = [ "network-online.target" ];

     

       74
       74
       +
                 wants = [ "network-online.target" ];

     

       75
       75
       +
       

     

       76
       76
       +
                 serviceConfig = {

     

       77
       77
       +
                   Type = "oneshot";

     

       78
       78
       +
                   RemainAfterExit = true;

     

       79
       79
       +
                   User = username;

     

       80
       80
       +
                   StateDirectory = "paretosecurity/${username}";

     

       81
       81
       +
       

     

       82
       82
       +
                   ExecStart = pkgs.writeShellScript "paretosecurity-link-${username}" ''

     

       83
       83
       +
                     set -euo pipefail

     

       84
       84
       +
       

     

       85
       85
       +
                     INVITE_ID="${userConfig.inviteId}"

     

       86
       86
       +
                     STATE_FILE="/var/lib/paretosecurity/${username}/linked-$INVITE_ID"

     

       87
       87
       +
                     CONFIG_FILE="$HOME/.config/pareto.toml"

     

       88
       88
       +
       

     

       89
       89
       +
                     # Check if already linked with this specific invite

     

       90
       90
       +
                     if [ -f "$STATE_FILE" ]; then

     

       91
       91
       +
                       echo "Device already linked with invite $INVITE_ID for user ${username}"

     

       92
       92
       +
                       exit 0

     

       93
       93
       +
                     fi

     

       94
       94
       +
       

     

       95
       95
       +
                     # Ensure config directory exists

     

       96
       96
       +
                     mkdir -p "$(dirname "$CONFIG_FILE")"

     

       97
       97
       +
       

     

       98
       98
       +
                     # Perform linking

     

       99
       99
       +
                     echo "Linking device to Pareto Cloud for user ${username}..."

     

       100
       100
       +
                     ${cfg.package}/bin/paretosecurity link \

     

       101
       101
       +
                       "paretosecurity://linkDevice/?invite_id=$INVITE_ID"

     

       102
       102
       +
       

     

       103
       103
       +
                     # Verify linking succeeded

     

       104
       104
       +
                     if [ -f "$CONFIG_FILE" ] && grep -q "TeamID" "$CONFIG_FILE"; then

     

       105
       105
       +
                       echo "Successfully linked to Pareto Cloud for user ${username}"

     

       106
       106
       +
                       touch "$STATE_FILE"

     

       107
       107
       +
                     else

     

       108
       108
       +
                       echo "Failed to link to Pareto Cloud for user ${username}"

     

       109
       109
       +
                       exit 1

     

       110
       110
       +
                     fi

     

       111
       111
       +
                   '';

     

       112
       112
       +
                 };

     

       113
       113
       +
       

     

       114
       114
       +
                 wantedBy = [ "multi-user.target" ];

     

       115
       115
       +
               }

     

       116
       116
       +
             ) cfg.users

     

       117
       117
       +
           );

     

       44
       118
        
       

     

       45
       119
        
           # Enable the tray icon and timer services if the trayIcon option is enabled

     

       46
       120
        
           systemd.user = lib.mkIf cfg.trayIcon {

+44 -38

nixos/tests/paretosecurity.nix

···

       9
       9
        
             imports = [ ./common/user-account.nix ];

     

       10
       10
        
       

     

       11
       11
        
             services.paretosecurity.enable = true;

     

       12
       12
       -
       

     

       12
       12
       +
             services.paretosecurity.users.alice.inviteId = "test-invite-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

     

       13
       13
        
           };

     

       14
       14
        
       

     

       15
       15
        
         nodes.xfce =

     
···

       46
       46
        
           terminal.systemctl("start network-online.target")

     

       47
       47
        
           terminal.wait_for_unit("network-online.target")

     

       48
       48
        
       

     

       49
       49
       -
           # Test 1: Test the systemd socket is installed & enabled

     

       50
       50
       -
           terminal.succeed('systemctl is-enabled paretosecurity.socket')

     

       49
       49
       +
           with subtest("Test the systemd socket is installed & enabled"):

     

       50
       50
       +
             terminal.succeed('systemctl is-enabled paretosecurity.socket')

     

       51
       51
        
       

     

       52
       52
       -
           # Test 2: Test running checks

     

       53
       53
       -
           terminal.succeed(

     

       54
       54
       -
             "su - alice -c 'paretosecurity check"

     

       55
       55
       -
             # Disable some checks that need intricate test setup so that this test

     

       56
       56
       -
             # remains simple and fast. Tests for all checks and edge cases available

     

       57
       57
       -
             # at https://github.com/ParetoSecurity/agent/tree/main/test/integration

     

       58
       58
       -
             + " --skip c96524f2-850b-4bb9-abc7-517051b6c14e"  # SecureBoot

     

       59
       59
       -
             + " --skip 37dee029-605b-4aab-96b9-5438e5aa44d8"  # Screen lock

     

       60
       60
       -
             + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb"  # Disk encryption

     

       61
       61
       -
             + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e"  # Pareto Security is up to date

     

       62
       62
       -
             + " --skip f962c423-fdf5-428a-a57a-827abc9b253e"  # Password manager installed

     

       63
       63
       -
             + "'"

     

       64
       64
       -
           )

     

       52
       52
       +
           with subtest("Test running checks"):

     

       53
       53
       +
             terminal.succeed(

     

       54
       54
       +
               "su - alice -c 'paretosecurity check"

     

       55
       55
       +
               # Disable some checks that need intricate test setup so that this test

     

       56
       56
       +
               # remains simple and fast. Tests for all checks and edge cases available

     

       57
       57
       +
               # at https://github.com/ParetoSecurity/agent/tree/main/test/integration

     

       58
       58
       +
               + " --skip c96524f2-850b-4bb9-abc7-517051b6c14e"  # SecureBoot

     

       59
       59
       +
               + " --skip 37dee029-605b-4aab-96b9-5438e5aa44d8"  # Screen lock

     

       60
       60
       +
               + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb"  # Disk encryption

     

       61
       61
       +
               + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e"  # Pareto Security is up to date

     

       62
       62
       +
               + " --skip f962c423-fdf5-428a-a57a-827abc9b253e"  # Password manager installed

     

       63
       63
       +
               + "'"

     

       64
       64
       +
             )

     

       65
       65
        
       

     

       66
       66
       -
           # Test 3: Test the tray icon

     

       67
       67
       -
           xfce.wait_for_x()

     

       68
       68
       -
           for unit in [

     

       69
       69
       -
               'paretosecurity-trayicon',

     

       70
       70
       -
               'paretosecurity-user',

     

       71
       71
       -
               'paretosecurity-user.timer'

     

       72
       72
       -
           ]:

     

       73
       73
       -
               status, out = xfce.systemctl("is-enabled " + unit, "alice")

     

       74
       74
       -
               assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"

     

       75
       75
       -
           xfce.succeed("xdotool mousemove 460 10")

     

       76
       76
       -
           xfce.wait_for_text("Pareto Security")

     

       77
       77
       -
           xfce.succeed("xdotool click 1")

     

       78
       78
       -
           xfce.wait_for_text("Run Checks")

     

       66
       66
       +
           with subtest("Test linking to Pareto Cloud"):

     

       67
       67
       +
             # The linking service will fail because there is no Internet,

     

       68
       68
       +
             # but we can check that it tried

     

       69
       69
       +
             terminal.succeed('systemctl list-units --type=service | grep paretosecurity-link-alice')

     

       70
       70
       +
             terminal.succeed('journalctl -u paretosecurity-link-alice.service | grep "Linking device to Pareto Cloud for user alice"')

     

       71
       71
       +
       

     

       72
       72
       +
           with subtest("Test 3: Test the tray icon"):

     

       73
       73
       +
             xfce.wait_for_x()

     

       74
       74
       +
             for unit in [

     

       75
       75
       +
                 'paretosecurity-trayicon',

     

       76
       76
       +
                 'paretosecurity-user',

     

       77
       77
       +
                 'paretosecurity-user.timer'

     

       78
       78
       +
             ]:

     

       79
       79
       +
                 status, out = xfce.systemctl("is-enabled " + unit, "alice")

     

       80
       80
       +
                 assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"

     

       81
       81
       +
             xfce.succeed("xdotool mousemove 460 10")

     

       82
       82
       +
             xfce.wait_for_text("Pareto Security")

     

       83
       83
       +
             xfce.succeed("xdotool click 1")

     

       84
       84
       +
             xfce.wait_for_text("Run Checks")

     

       79
       85
        
       

     

       80
       80
       -
           # Test 4: Desktop entry

     

       81
       81
       -
           xfce.succeed("xdotool mousemove 10 10")

     

       82
       82
       -
           xfce.succeed("xdotool click 1")  # hide the tray icon window

     

       83
       83
       -
           xfce.succeed("xdotool click 1")  # show the Applications menu

     

       84
       84
       -
           xfce.succeed("xdotool mousemove 10 200")

     

       85
       85
       -
           xfce.succeed("xdotool click 1")

     

       86
       86
       -
           xfce.wait_for_text("Pareto Security")

     

       86
       86
       +
           with subtest("Test 4: Desktop entry"):

     

       87
       87
       +
             xfce.succeed("xdotool mousemove 10 10")

     

       88
       88
       +
             xfce.succeed("xdotool click 1")  # hide the tray icon window

     

       89
       89
       +
             xfce.succeed("xdotool click 1")  # show the Applications menu

     

       90
       90
       +
             xfce.succeed("xdotool mousemove 10 200")

     

       91
       91
       +
             xfce.succeed("xdotool click 1")

     

       92
       92
       +
             xfce.wait_for_text("Pareto Security")

     

       87
       93
        
       

     

       88
       88
       -
           # Test 5: paretosecurity:// URL handler is registered

     

       89
       89
       -
           xfce.succeed("su - alice -c 'xdg-open paretosecurity://foo'")

     

       94
       94
       +
           with subtest("Test 5: paretosecurity:// URL handler is registered"):

     

       95
       95
       +
             xfce.succeed("su - alice -c 'xdg-open paretosecurity://foo'")

     

       90
       96
        
         '';

     

       91
       97
        
       }

+12 -8

pkgs/by-name/pa/paretosecurity/package.nix

···

       78
       78
        
         };

     

       79
       79
        
       

     

       80
       80
        
         meta = {

     

       81
       81
       -
           description = "Agent that makes sure your laptop is correctly configured for security";

     

       81
       81
       +
           description = "A simple trayicon app that makes sure your laptop is correctly configured for security";

     

       82
       82
        
           longDescription = ''

     

       83
       83
       -
             The Pareto Security agent is a free and open source app to help you make

     

       84
       84
       -
             sure that your laptop is configured for security.

     

       83
       83
       +
             [Pareto Desktop](https://paretosecurity.com/linux) is a free and open

     

       84
       84
       +
             source trayicon app to help you configure your laptop for security. It

     

       85
       85
       +
             nudges you to take care of 20% of security-related tasks that bring 80% of

     

       86
       86
       +
             protection.

     

       85
       87
        
       

     

       86
       86
       -
             By default, it's a CLI command that prints out a report on basic security

     

       87
       87
       -
             settings such as if you have disk encryption and firewall enabled.

     

       88
       88
       +
             In it's simplest form, it's a CLI command that prints out a report on basic

     

       89
       89
       +
             security settings such as if you have disk encryption and firewall enabled.

     

       88
       90
        
       

     

       89
       91
        
             If you use the `services.paretosecurity` NixOS module, you also get a

     

       90
       92
        
             root helper that allows you to run the checker in userspace. Some checks

     
···

       96
       98
        
             once per hour. If you want to use just the CLI mode, set

     

       97
       99
        
             `services.paretosecurity.trayIcon` to `false`.

     

       98
       100
        
       

     

       99
       99
       -
             Finally, you can run `paretosecurity link` to configure the agent

     

       100
       100
       -
             to send the status of checks to https://dash.paretosecurity.com to make

     

       101
       101
       -
             compliance people happy. No sending happens until your device is linked.

     

       101
       101
       +
             Finally, if you set `users.users.alice.paretosecurity.inviteId = "..."`

     

       102
       102
       +
             to the `inviteId` you get on [Pareto Cloud](https://cloud.paretosecurity.com/),

     

       103
       103
       +
             then Pareto Desktop acts as a read-only and push-only agent that sends the

     

       104
       104
       +
             status of checks to https://cloud.paretosecurity.com which makes

     

       105
       105
       +
             compliance people happy and your privacy intact.

     

       102
       106
        
           '';

     

       103
       107
        
           homepage = "https://github.com/ParetoSecurity/agent";

     

       104
       108
        
           license = lib.licenses.gpl3Only;