nixos/tests/opensnitch.nix

   1 import ./make-test-python.nix ({ pkgs, ... }: {
   2   name = "opensnitch";
   3
   4   meta = with pkgs.lib.maintainers; {
   5     maintainers = [ onny ];
   6   };
   7
   8   nodes = {
   9     server =
  10       { ... }: {
  11         networking.firewall.allowedTCPPorts = [ 80 ];
  12         services.caddy = {
  13           enable = true;
  14           virtualHosts."localhost".extraConfig = ''
  15             respond "Hello, world!"
  16           '';
  17         };
  18       };
  19
  20     clientBlocked =
  21       { ... }: {
  22         services.opensnitch = {
  23           enable = true;
  24           settings.DefaultAction = "deny";
  25         };
  26       };
  27
  28     clientAllowed =
  29       { ... }: {
  30         services.opensnitch = {
  31           enable = true;
  32           settings.DefaultAction = "deny";
  33           rules = {
  34             curl = {
  35               name = "curl";
  36               enabled = true;
  37               action = "allow";
  38               duration = "always";
  39               operator = {
  40                 type ="simple";
  41                 sensitive = false;
  42                 operand = "process.path";
  43                 data = "${pkgs.curl}/bin/curl";
  44               };
  45             };
  46           };
  47         };
  48       };
  49   };
  50
  51   testScript = ''
  52     start_all()
  53     server.wait_for_unit("caddy.service")
  54     server.wait_for_open_port(80)
  55
  56     clientBlocked.wait_for_unit("opensnitchd.service")
  57     clientBlocked.fail("curl http://server")
  58
  59     clientAllowed.wait_for_unit("opensnitchd.service")
  60     clientAllowed.succeed("curl http://server")
  61   '';
  62 })