paretosecurity: 0.0.96 -> 0.1.3

Also: * Fix PATH for systemd services * Make UI tests faster and more robust by setting low resolution
2025-07-13 21:50:33 +03:00 · 2025-04-03 20:25:28 +01:00 · 2025-04-03 20:25:28 +01:00 · 3c6b1cf6f6
commit 3c6b1cf6f6
parent f5146fbf1d
3 changed files with 26 additions and 5 deletions
--- a/nixos/modules/services/security/paretosecurity.nix
+++ b/nixos/modules/services/security/paretosecurity.nix
@ -24,6 +24,17 @@
    # dependencies here. This creates the necessary symlinks in the proper locations.
    systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];

+    # In NixOS, systemd services are configured with minimal PATH. However,
+    # paretosecurity helper looks for installed software to do its job, so
+    # it needs the full system PATH. For example, it runs `iptables` to see if
+    # firewall is configured. And it looks for various password managers to see
+    # if one is installed.
+    # The `paretosecurity-user` timer service that is configured lower has
+    # the same need.
+    systemd.services.paretosecurity.serviceConfig.Environment = [
+      "PATH=${config.system.path}/bin:${config.system.path}/sbin"
+    ];
+
    # Enable the tray icon and timer services if the trayIcon option is enabled
    systemd.user = lib.mkIf config.services.paretosecurity.trayIcon {
      services.paretosecurity-trayicon = {
@ -31,6 +42,9 @@
      };
      services.paretosecurity-user = {
        wantedBy = [ "graphical-session.target" ];
+        serviceConfig.Environment = [
+          "PATH=${config.system.path}/bin:${config.system.path}/sbin"
+        ];
      };
      timers.paretosecurity-user = {
        wantedBy = [ "timers.target" ];
--- a/nixos/tests/paretosecurity.nix
+++ b/nixos/tests/paretosecurity.nix
@ -29,6 +29,8 @@
        package = patchedPareto;
      };

+      networking.firewall.enable = true;
+
    };

  nodes.dashboard =
@ -64,6 +66,12 @@
      services.displayManager.autoLogin = {
        enable = true;
        user = "alice";
+
+      };
+
+      virtualisation.resolution = {
+        x = 640;
+        y = 480;
      };

      environment.systemPackages = [ pkgs.xdotool ];
@ -94,7 +102,6 @@
      + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb"  # Disk encryption
      + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e"  # Pareto Security is up to date
      + " --skip f962c423-fdf5-428a-a57a-827abc9b253e"  # Password manager installed
-      + " --skip 2e46c89a-5461-4865-a92e-3b799c12034a"  # Firewall is enabled
      + "'"
    )

@ -117,7 +124,7 @@
    ]:
        status, out = xfce.systemctl("is-enabled " + unit, "alice")
        assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"
-    xfce.succeed("xdotool mousemove 850 10")
+    xfce.succeed("xdotool mousemove 460 10")
    xfce.wait_for_text("Pareto Security")
    xfce.succeed("xdotool click 1")
    xfce.wait_for_text("Run Checks")
--- a/pkgs/by-name/pa/paretosecurity/package.nix
+++ b/pkgs/by-name/pa/paretosecurity/package.nix
@ -9,16 +9,16 @@

 buildGoModule rec {
  pname = "paretosecurity";
-  version = "0.0.96";
+  version = "0.1.3";

  src = fetchFromGitHub {
    owner = "ParetoSecurity";
    repo = "agent";
    rev = version;
-    hash = "sha256-SyeIGSDvrnOvyOJ0zC8CulpaMa+iZeRaMTJUSydz2tw=";
+    hash = "sha256-ovyfHqLCf5U3UR1HfoA+UQhqLZ6IaILcpqptPRQsb60=";
  };

-  vendorHash = "sha256-O/OF3Y6HiiikMxf657k9eIM7UfkicIImAUxVVf/TgR8=";
+  vendorHash = "sha256-7mKAFkKGpBOjXc3J/sfF3k3pJF53tFybXZgbfJInuSY=";
  proxyVendor = true;

  ldflags = [