Merge staging-next into staging

nixos/tests/all-tests.nix

@@ -322,6 +322,7 @@ in {
   fancontrol = handleTest ./fancontrol.nix {};
   fanout = handleTest ./fanout.nix {};
   fcitx5 = handleTest ./fcitx5 {};
+  fedimintd = runTest ./fedimintd.nix;
   fenics = handleTest ./fenics.nix {};
   ferm = handleTest ./ferm.nix {};
   ferretdb = handleTest ./ferretdb.nix {};
@@ -942,6 +943,7 @@ in {
   sudo = handleTest ./sudo.nix {};
   sudo-rs = handleTest ./sudo-rs.nix {};
   sunshine = handleTest ./sunshine.nix {};
+  suricata = handleTest ./suricata.nix {};
   suwayomi-server = handleTest ./suwayomi-server.nix {};
   swap-file-btrfs = handleTest ./swap-file-btrfs.nix {};
   swap-partition = handleTest ./swap-partition.nix {};

nixos/tests/fedimintd.nix

@@ -0,0 +1,37 @@
+# This test runs the fedimintd and verifies that it starts
+
+{ pkgs, ... }:
+
+{
+  name = "fedimintd";
+
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ dpc ];
+  };
+
+  nodes.machine =
+    { ... }:
+    {
+      services.fedimintd."mainnet" = {
+        enable = true;
+        p2p = {
+          url = "fedimint://example.com";
+        };
+        api = {
+          url = "wss://example.com";
+        };
+        environment = {
+          "FM_REL_NOTES_ACK" = "0_4_xyz";
+        };
+      };
+    };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
+
+      machine.wait_for_unit("fedimintd-mainnet.service")
+      machine.wait_for_open_port(${toString nodes.machine.services.fedimintd.mainnet.api.port})
+    '';
+}

nixos/tests/suricata.nix

@@ -0,0 +1,86 @@
+import ./make-test-python.nix (
+  { lib, pkgs, ... }:
+  {
+    name = "suricata";
+    meta.maintainers = with lib.maintainers; [ felbinger ];
+
+    nodes = {
+      ids = {
+        imports = [
+          ../modules/profiles/minimal.nix
+          ../modules/services/networking/suricata/default.nix
+        ];
+
+        networking.interfaces.eth1 = {
+          useDHCP = false;
+          ipv4.addresses = [
+            {
+              address = "192.168.1.2";
+              prefixLength = 24;
+            }
+          ];
+        };
+
+        # disable suricata-update because this requires an Internet connection
+        systemd.services.suricata-update.enable = false;
+
+        # install suricata package to make suricatasc program available
+        environment.systemPackages = with pkgs; [ suricata ];
+
+        services.suricata = {
+          enable = true;
+          settings = {
+            vars.address-groups.HOME_NET = "192.168.1.0/24";
+            unix-command.enabled = true;
+            outputs = [ { fast.enabled = true; } ];
+            af-packet = [ { interface = "eth1"; } ];
+            classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
+          };
+        };
+
+        # create suricata.rules with the rule to detect the output of the id command
+        systemd.tmpfiles.rules = [
+          ''f /var/lib/suricata/rules/suricata.rules 644 suricata suricata 0 alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)''
+        ];
+      };
+      helper = {
+        imports = [ ../modules/profiles/minimal.nix ];
+
+        networking.interfaces.eth1 = {
+          useDHCP = false;
+          ipv4.addresses = [
+            {
+              address = "192.168.1.1";
+              prefixLength = 24;
+            }
+          ];
+        };
+
+        services.nginx = {
+          enable = true;
+          virtualHosts."localhost".locations = {
+            "/id/".return = "200 'uid=0(root) gid=0(root) groups=0(root)'";
+          };
+        };
+        networking.firewall.allowedTCPPorts = [ 80 ];
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      # check that configuration has been applied correctly with suricatasc
+      with subtest("suricata configuration test"):
+          ids.wait_for_unit("suricata.service")
+          assert '1' in ids.succeed("suricatasc -c 'iface-list' | ${pkgs.jq}/bin/jq .message.count")
+
+      # test detection of events based on a static ruleset (output of id command)
+      with subtest("suricata rule test"):
+          helper.wait_for_unit("nginx.service")
+          ids.wait_for_unit("suricata.service")
+
+          ids.succeed("curl http://192.168.1.1/id/")
+          assert "id check returned root [**] [Classification: Potentially Bad Traffic]" in ids.succeed("tail -n 1 /var/log/suricata/fast.log"), "Suricata didn't detect the output of id comment"
+    '';
+  }
+)