Skip to content

Commit

Permalink
soarca: init at 1.1.0-beta-1-unstable-2024-12-19
Browse files Browse the repository at this point in the history
  • Loading branch information
13621 committed Dec 25, 2024
1 parent e7d1fdf commit 05ec7ab
Show file tree
Hide file tree
Showing 6 changed files with 214 additions and 0 deletions.
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2505.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@

- [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).

- [SOARCA](https://github.com/COSSAS/SOARCA), an open source CACAO-based security orchestrator. Available as [services.soarca](options.html#opt-services.soarca.enable).

- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).

- [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable).
Expand Down
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -1365,6 +1365,7 @@
./services/security/physlock.nix
./services/security/shibboleth-sp.nix
./services/security/sks.nix
./services/security/soarca.nix
./services/security/sshguard.nix
./services/security/sslmate-agent.nix
./services/security/step-ca.nix
Expand Down
117 changes: 117 additions & 0 deletions nixos/modules/services/security/soarca.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{
config,
lib,
pkgs,
...
}:

let
cfg = config.services.soarca;
in
{
options.services.soarca = {
enable = lib.mkEnableOption "SOARCA";
package = lib.mkPackageOption pkgs "soarca" { };

settings = lib.mkOption {
type = lib.types.submodule {
freeformType =
with lib.types;
attrsOf (
nullOr (oneOf [
bool
int
str
])
);
options = { };
};
default = { };
example = {
PORT = 9000;
GIN_MODE = "release";
DATABASE = false;
};
description = ''
See [the wiki](https://cossas.github.io/SOARCA/docs/installation-configuration/) for available settings.
'';
};

user = lib.mkOption {
type = lib.types.str;
default = "soarca";
description = "User under which SOARCA will run.";
};

group = lib.mkOption {
type = lib.types.str;
default = "soarca";
description = "Group under which SOARCA will run.";
};
};

config = lib.mkIf cfg.enable {
systemd.packages = [ cfg.package ];

systemd.services.soarca = {
description = "SOARCA Service";
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;

environment = lib.mapAttrs (
_: v: if lib.isBool v then lib.boolToString v else toString v
) cfg.settings;

serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${lib.getExe cfg.package}";
Restart = "on-failure";
RestartSec = "5";

# hardening
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectHome = "true";
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@clock @swap @reboot @raw-io @privileged @obsolete @mount @module @debug @cpu-emulation"
];
CapabilityBoundingSet = [ "" ];
RestrictNamespaces = true;
ProcSubset = "pid";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
};
};

users.users = lib.optionalAttrs (cfg.user == "soarca") {
soarca = {
group = cfg.group;
isNormalUser = true;
};
};

users.groups = lib.optionalAttrs (cfg.group == "soarca") {
soarca = { };
};
};

meta.maintainers = with lib.maintainers; [ _13621 ];
}
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
Original file line number Diff line number Diff line change
Expand Up @@ -949,6 +949,7 @@ in {
snapper = handleTest ./snapper.nix {};
snipe-it = runTest ./web-apps/snipe-it.nix;
soapui = handleTest ./soapui.nix {};
soarca = handleTest ./soarca.nix {};
soft-serve = handleTest ./soft-serve.nix {};
sogo = handleTest ./sogo.nix {};
soju = handleTest ./soju.nix {};
Expand Down
22 changes: 22 additions & 0 deletions nixos/tests/soarca.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
import ./make-test-python.nix (
{ lib, pkgs, ... }:
{
name = "soarca";
meta.maintainers = with lib.maintainers; [ _13621 ];

nodes.machine = {
services.soarca = {
package = pkgs.soarca;
enable = true;
settings.PORT = 8475;
};
};

testScript = ''
machine.wait_for_unit("soarca.service")
machine.wait_for_open_port(8475)
machine.succeed("curl --fail http://localhost:8475/status/ping | grep 'pong'")
'';
}
)
71 changes: 71 additions & 0 deletions pkgs/by-name/so/soarca/package.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{
lib,
buildGoModule,
fetchFromGitHub,
go-swag,
nixosTests,
nix-update-script,
}:

buildGoModule {
pname = "soarca";
version = "1.1.0-beta-1-unstable-2024-12-19";

src = fetchFromGitHub {
owner = "COSSAS";
repo = "SOARCA";
rev = "fe560ac6d5c7b372c81cec16937782758a089f26";
hash = "sha256-4QN6zx2TajUIERH+YqmuNUb/ZbJHUWKrHdrOiyHXsWc=";
};

vendorHash = "sha256-pATXKcPbAvh8Hsa3v2TkQq8AqN+RVNirT1OegdShWwQ=";

ldflags = [
"-s"
"-w"
];

preBuild = ''
mkdir -p api
${lib.getExe go-swag} init -g cmd/soarca/main.go -o api
'';

checkFlags =
let
skippedTests = [
# require internet access
"TestHttpConnection"
"TestHttpOAuth2"
"TestHttpBasicAuth"
"TestHttpBearerToken"
"TestHttpPostWithContentConnection"
"TestHttpPostWithBase64ContentConnection"
"TestHttpPostConnection"
"TestHttpPutConnection"
"TestHttpDeleteConnection"
"TestHttpStatus200"
"TestHttpGetConnection"
"TestInsecureHTTPConnection"
"TestSshConnection"
"TestConnect" # times out
# integrations
"TestPowershellConnection"
"TestTheHiveConnection"
"TestTheHiveReporting"
];
in
[ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ];

passthru = {
tests.soarca = nixosTests.soarca;
updateScript = nix-update-script { };
};

meta = {
description = "Open Source CACAO-based Security Orchestrator";
homepage = "https://github.com/COSSAS/SOARCA";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ _13621 ];
mainProgram = "soarca";
};
}

0 comments on commit 05ec7ab

Please sign in to comment.