nixos/opensnitch: add test · pyrox.dev/nixpkgs@5e6e949

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/opensnitch: add test

Jonas Heinrich 2 years ago 5e6e949e 2eb9cd65

+70 -3

3 changed files

expand all

nixos

tests

all-tests.nix

opensnitch.nix

pkgs

tools

networking

opensnitch

daemon.nix

nixos/tests/all-tests.nix

··· 571 571 openresty-lua = handleTest ./openresty-lua.nix {}; 572 572 opensmtpd = handleTest ./opensmtpd.nix {}; 573 573 opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {}; 574 + opensnitch = handleTest ./opensnitch.nix {}; 574 575 openssh = handleTest ./openssh.nix {}; 575 576 octoprint = handleTest ./octoprint.nix {}; 576 577 openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {};

+62

nixos/tests/opensnitch.nix

··· 1 + import ./make-test-python.nix ({ pkgs, ... }: { 2 + name = "opensnitch"; 3 + 4 + meta = with pkgs.lib.maintainers; { 5 + maintainers = [ onny ]; 6 + }; 7 + 8 + nodes = { 9 + server = 10 + { ... }: { 11 + networking.firewall.allowedTCPPorts = [ 80 ]; 12 + services.caddy = { 13 + enable = true; 14 + virtualHosts."localhost".extraConfig = '' 15 + respond "Hello, world!" 16 + ''; 17 + }; 18 + }; 19 + 20 + clientBlocked = 21 + { ... }: { 22 + services.opensnitch = { 23 + enable = true; 24 + settings.DefaultAction = "deny"; 25 + }; 26 + }; 27 + 28 + clientAllowed = 29 + { ... }: { 30 + services.opensnitch = { 31 + enable = true; 32 + settings.DefaultAction = "deny"; 33 + rules = { 34 + opensnitch = { 35 + name = "curl"; 36 + enabled = true; 37 + action = "allow"; 38 + duration = "always"; 39 + operator = { 40 + type ="simple"; 41 + sensitive = false; 42 + operand = "process.path"; 43 + data = "${pkgs.curl}/bin/curl"; 44 + }; 45 + }; 46 + }; 47 + }; 48 + }; 49 + }; 50 + 51 + testScript = '' 52 + start_all() 53 + server.wait_for_unit("caddy.service") 54 + server.wait_for_open_port(80) 55 + 56 + clientBlocked.wait_for_unit("opensnitchd.service") 57 + clientBlocked.fail("curl http://server") 58 + 59 + clientAllowed.wait_for_unit("opensnitchd.service") 60 + clientAllowed.succeed("curl http://server") 61 + ''; 62 + })

+7 -3

pkgs/tools/networking/opensnitch/daemon.nix

··· 13 13 , protoc-gen-go-grpc 14 14 , testers 15 15 , opensnitch 16 + , nixosTests 16 17 }: 17 18 18 19 buildGoModule rec { ··· 69 70 --prefix PATH : ${lib.makeBinPath [ iptables ]} 70 71 ''; 71 72 72 - passthru.tests.version = testers.testVersion { 73 - package = opensnitch; 74 - command = "opensnitchd -version"; 73 + passthru.tests = { 74 + inherit (nixosTests) opensnitch; 75 + version = testers.testVersion { 76 + package = opensnitch; 77 + command = "opensnitchd -version"; 78 + }; 75 79 }; 76 80 77 81 meta = with lib; {