Merge pull request #248011 from onny/opensnitch-test
nixos/opensnitch: add test
This commit is contained in:
commit
46d051737d
3 changed files with 70 additions and 3 deletions
|
@ -573,6 +573,7 @@ in {
|
|||
openresty-lua = handleTest ./openresty-lua.nix {};
|
||||
opensmtpd = handleTest ./opensmtpd.nix {};
|
||||
opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
|
||||
opensnitch = handleTest ./opensnitch.nix {};
|
||||
openssh = handleTest ./openssh.nix {};
|
||||
octoprint = handleTest ./octoprint.nix {};
|
||||
openstack-image-metadata = (handleTestOn ["x86_64-linux"] ./openstack-image.nix {}).metadata or {};
|
||||
|
|
62
nixos/tests/opensnitch.nix
Normal file
62
nixos/tests/opensnitch.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "opensnitch";
|
||||
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [ onny ];
|
||||
};
|
||||
|
||||
nodes = {
|
||||
server =
|
||||
{ ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."localhost".extraConfig = ''
|
||||
respond "Hello, world!"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
clientBlocked =
|
||||
{ ... }: {
|
||||
services.opensnitch = {
|
||||
enable = true;
|
||||
settings.DefaultAction = "deny";
|
||||
};
|
||||
};
|
||||
|
||||
clientAllowed =
|
||||
{ ... }: {
|
||||
services.opensnitch = {
|
||||
enable = true;
|
||||
settings.DefaultAction = "deny";
|
||||
rules = {
|
||||
opensnitch = {
|
||||
name = "curl";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = "${pkgs.curl}/bin/curl";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
server.wait_for_unit("caddy.service")
|
||||
server.wait_for_open_port(80)
|
||||
|
||||
clientBlocked.wait_for_unit("opensnitchd.service")
|
||||
clientBlocked.fail("curl http://server")
|
||||
|
||||
clientAllowed.wait_for_unit("opensnitchd.service")
|
||||
clientAllowed.succeed("curl http://server")
|
||||
'';
|
||||
})
|
|
@ -13,6 +13,7 @@
|
|||
, protoc-gen-go-grpc
|
||||
, testers
|
||||
, opensnitch
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
|
@ -69,9 +70,12 @@ buildGoModule rec {
|
|||
--prefix PATH : ${lib.makeBinPath [ iptables ]}
|
||||
'';
|
||||
|
||||
passthru.tests.version = testers.testVersion {
|
||||
package = opensnitch;
|
||||
command = "opensnitchd -version";
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) opensnitch;
|
||||
version = testers.testVersion {
|
||||
package = opensnitch;
|
||||
command = "opensnitchd -version";
|
||||
};
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
|
|
Loading…
Reference in a new issue