paretosecurity: 0.0.91 -> 0.0.96 (#393366) · pyrox.dev/nixpkgs@5897ff9

+17 -28

nixos/modules/services/security/paretosecurity.nix

··· 14 14 15 15 config = lib.mkIf config.services.paretosecurity.enable { 16 16 environment.systemPackages = [ config.services.paretosecurity.package ]; 17 + systemd.packages = [ config.services.paretosecurity.package ]; 17 18 18 - systemd.sockets."paretosecurity" = { 19 - wantedBy = [ "sockets.target" ]; 20 - socketConfig = { 21 - ListenStream = "/var/run/paretosecurity.sock"; 22 - SocketMode = "0666"; 19 + # In traditional Linux distributions, systemd would read the [Install] section from 20 + # unit files and automatically create the appropriate symlinks to enable services. 21 + # However, in NixOS, due to its immutable nature and the way the Nix store works, 22 + # the [Install] sections are not processed during system activation. Instead, we 23 + # must explicitly tell NixOS which units to enable by specifying their target 24 + # dependencies here. This creates the necessary symlinks in the proper locations. 25 + systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ]; 26 + 27 + # Enable the tray icon and timer services if the trayIcon option is enabled 28 + systemd.user = lib.mkIf config.services.paretosecurity.trayIcon { 29 + services.paretosecurity-trayicon = { 30 + wantedBy = [ "graphical-session.target" ]; 23 31 }; 24 - }; 25 - 26 - systemd.services."paretosecurity" = { 27 - serviceConfig = { 28 - ExecStart = "${config.services.paretosecurity.package}/bin/paretosecurity helper"; 29 - User = "root"; 30 - Group = "root"; 31 - StandardInput = "socket"; 32 - Type = "oneshot"; 33 - RemainAfterExit = "no"; 34 - StartLimitInterval = "1s"; 35 - StartLimitBurst = 100; 36 - ProtectSystem = "full"; 37 - ProtectHome = true; 38 - StandardOutput = "journal"; 39 - StandardError = "journal"; 32 + services.paretosecurity-user = { 33 + wantedBy = [ "graphical-session.target" ]; 40 34 }; 41 - }; 42 - 43 - systemd.user.services."paretosecurity-trayicon" = lib.mkIf config.services.paretosecurity.trayIcon { 44 - wantedBy = [ "graphical-session.target" ]; 45 - serviceConfig = { 46 - ExecStart = "${config.services.paretosecurity.package}/bin/paretosecurity trayicon"; 35 + timers.paretosecurity-user = { 36 + wantedBy = [ "timers.target" ]; 47 37 }; 48 38 }; 49 - 50 39 }; 51 40 }

+68 -3

nixos/tests/paretosecurity.nix

··· 4 4 meta.maintainers = [ lib.maintainers.zupo ]; 5 5 6 6 nodes.terminal = 7 - { config, pkgs, ... }: 7 + { 8 + config, 9 + pkgs, 10 + lib, 11 + ... 12 + }: 13 + let 14 + # Create a patched version of the package that points to the local dashboard 15 + # for easier testing 16 + patchedPareto = pkgs.paretosecurity.overrideAttrs (oldAttrs: { 17 + postPatch = '' 18 + substituteInPlace team/report.go \ 19 + --replace-warn 'const reportURL = "https://dash.paretosecurity.com"' \ 20 + 'const reportURL = "http://dashboard"' 21 + ''; 22 + }); 23 + in 8 24 { 9 25 imports = [ ./common/user-account.nix ]; 10 26 11 - services.paretosecurity.enable = true; 27 + services.paretosecurity = { 28 + enable = true; 29 + package = patchedPareto; 30 + }; 31 + 32 + }; 33 + 34 + nodes.dashboard = 35 + { config, pkgs, ... }: 36 + { 37 + networking.firewall.allowedTCPPorts = [ 80 ]; 38 + 39 + services.nginx = { 40 + enable = true; 41 + virtualHosts."dashboard" = { 42 + locations."/api/v1/team/".extraConfig = '' 43 + add_header Content-Type application/json; 44 + return 200 '{"message": "Linked device."}'; 45 + ''; 46 + }; 47 + }; 12 48 }; 13 49 14 50 nodes.xfce = ··· 38 74 enableOCR = true; 39 75 40 76 testScript = '' 77 + # Test setup 78 + terminal.succeed("su - alice -c 'mkdir -p /home/alice/.config'") 79 + for m in [terminal, dashboard]: 80 + m.systemctl("start network-online.target") 81 + m.wait_for_unit("network-online.target") 82 + 83 + # Test 1: Test the systemd socket is installed & enabled 84 + terminal.succeed('systemctl is-enabled paretosecurity.socket') 85 + 86 + # Test 2: Test running checks 41 87 terminal.succeed( 42 - "su -- alice -c 'paretosecurity check" 88 + "su - alice -c 'paretosecurity check" 43 89 # Disable some checks that need intricate test setup so that this test 44 90 # remains simple and fast. Tests for all checks and edge cases available 45 91 # at https://github.com/ParetoSecurity/agent/tree/main/test/integration ··· 48 94 + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb" # Disk encryption 49 95 + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e" # Pareto Security is up to date 50 96 + " --skip f962c423-fdf5-428a-a57a-827abc9b253e" # Password manager installed 97 + + " --skip 2e46c89a-5461-4865-a92e-3b799c12034a" # Firewall is enabled 51 98 + "'" 52 99 ) 53 100 101 + # Test 3: Test linking 102 + terminal.succeed("su - alice -c 'paretosecurity link" 103 + + " paretosecurity://enrollTeam/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." 104 + + "eyJ0b2tlbiI6ImR1bW15LXRva2VuIiwidGVhbUlEIjoiZHVtbXktdGVhbS1pZCIsImlhdCI6" 105 + + "MTcwMDAwMDAwMCwiZXhwIjoxOTAwMDAwMDAwfQ.WgnL6_S0EBJHwF1wEVUG8GtIcoVvK5IjWbZpUeZr4Qw'") 106 + 107 + config = terminal.succeed("cat /home/alice/.config/pareto.toml") 108 + assert 'AuthToken = "dummy-token"' in config 109 + assert 'TeamID = "dummy-team-id"' in config 110 + 111 + # Test 4: Test the tray icon 54 112 xfce.wait_for_x() 113 + for unit in [ 114 + 'paretosecurity-trayicon', 115 + 'paretosecurity-user', 116 + 'paretosecurity-user.timer' 117 + ]: 118 + status, out = xfce.systemctl("is-enabled " + unit, "alice") 119 + assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}" 55 120 xfce.succeed("xdotool mousemove 850 10") 56 121 xfce.wait_for_text("Pareto Security") 57 122 xfce.succeed("xdotool click 1")

+23 -9

pkgs/by-name/pa/paretosecurity/package.nix

··· 9 9 10 10 buildGoModule rec { 11 11 pname = "paretosecurity"; 12 - version = "0.0.91"; 12 + version = "0.0.96"; 13 13 14 14 src = fetchFromGitHub { 15 15 owner = "ParetoSecurity"; 16 16 repo = "agent"; 17 17 rev = version; 18 - hash = "sha256-/kGwV96Jp7U08jh/wPQMcoV48zQe9ixY7gpNdtFyOkk="; 18 + hash = "sha256-SyeIGSDvrnOvyOJ0zC8CulpaMa+iZeRaMTJUSydz2tw="; 19 19 }; 20 20 21 - vendorHash = "sha256-kGrYoN0dGcSuQW47Y4LUFdHQYAoY74NOM1LLPdhmLhc="; 21 + vendorHash = "sha256-O/OF3Y6HiiikMxf657k9eIM7UfkicIImAUxVVf/TgR8="; 22 22 proxyVendor = true; 23 23 24 - subPackages = [ 25 - "cmd/paretosecurity" 26 - ]; 27 - 28 24 ldflags = [ 29 25 "-s" 30 26 "-X=github.com/ParetoSecurity/agent/shared.Version=${version}" ··· 32 28 "-X=github.com/ParetoSecurity/agent/shared.Date=1970-01-01T00:00:00Z" 33 29 ]; 34 30 31 + postInstall = '' 32 + # Install global systemd files 33 + install -Dm400 ${src}/apt/paretosecurity.socket $out/lib/systemd/system/paretosecurity.socket 34 + install -Dm400 ${src}/apt/paretosecurity.service $out/lib/systemd/system/paretosecurity.service 35 + substituteInPlace $out/lib/systemd/system/paretosecurity.service \ 36 + --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity" 37 + 38 + # Install user systemd files 39 + install -Dm444 ${src}/apt/paretosecurity-user.timer $out/lib/systemd/user/paretosecurity-user.timer 40 + install -Dm444 ${src}/apt/paretosecurity-user.service $out/lib/systemd/user/paretosecurity-user.service 41 + substituteInPlace $out/lib/systemd/user/paretosecurity-user.service \ 42 + --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity" 43 + install -Dm444 ${src}/apt/paretosecurity-trayicon.service $out/lib/systemd/user/paretosecurity-trayicon.service 44 + substituteInPlace $out/lib/systemd/user/paretosecurity-trayicon.service \ 45 + --replace-fail "/usr/bin/paretosecurity" "$out/bin/paretosecurity" 46 + ''; 47 + 35 48 passthru.tests = { 36 49 version = testers.testVersion { 37 50 version = "${version}"; ··· 50 63 settings such as if you have disk encryption and firewall enabled. 51 64 52 65 If you use the `services.paretosecurity` NixOS module, you also get a 53 - root helper, so that you can run the checker in userspace. Some checks 66 + root helper that allows you to run the checker in userspace. Some checks 54 67 require root permissions, and the checker asks the helper to run those. 55 68 56 69 Additionally, if you enable `services.paretosecurity.trayIcon`, you get a 57 70 little Vilfredo Pareto living in your systray showing your the current 58 - status of checks. 71 + status of checks. This will also enable a systemd timer to update the 72 + status of checks once per hour. 59 73 60 74 Finally, you can run `paretosecurity link` to configure the agent 61 75 to send the status of checks to https://dash.paretosecurity.com to make