From 428499777a5f248d826d024c8dc459ad07818ad7 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 22 Jun 2025 15:08:21 +0200
Subject: [PATCH 1/6] linuxPackages.opensnitch-ebpf: add passthru test

---
 pkgs/os-specific/linux/opensnitch-ebpf/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/os-specific/linux/opensnitch-ebpf/default.nix b/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
index d9461b2b0aed..abcd1d85ecb5 100644
--- a/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
+++ b/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
@@ -9,6 +9,7 @@
   bison,
   bc,
   opensnitch,
+  nixosTests,
 }:
 
 stdenv.mkDerivation rec {
@@ -58,6 +59,10 @@ stdenv.mkDerivation rec {
     done
   '';
 
+  passthru.tests = {
+    inherit (nixosTests) opensnitch;
+  };
+
   meta = with lib; {
     description = "eBPF process monitor module for OpenSnitch";
     homepage = "https://github.com/evilsocket/opensnitch";

From 5ecc335091a0eef4f154841457ea5dae88f40858 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 22 Jun 2025 15:08:48 +0200
Subject: [PATCH 2/6] linuxPackages.opensnitch-ebpf: add grimmauld to
 maintainers

---
 pkgs/os-specific/linux/opensnitch-ebpf/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/opensnitch-ebpf/default.nix b/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
index abcd1d85ecb5..f7557a0c9ca2 100644
--- a/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
+++ b/pkgs/os-specific/linux/opensnitch-ebpf/default.nix
@@ -67,7 +67,10 @@ stdenv.mkDerivation rec {
     description = "eBPF process monitor module for OpenSnitch";
     homepage = "https://github.com/evilsocket/opensnitch";
     license = licenses.gpl3Only;
-    maintainers = with maintainers; [ onny ];
+    maintainers = with maintainers; [
+      onny
+      grimmauld
+    ];
     platforms = platforms.linux;
   };
 }

From 8c8cb412f0939c45e8aa826366e6a83c55d4d47a Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 22 Jun 2025 15:10:27 +0200
Subject: [PATCH 3/6] nixos/opensnitch: add grimmauld to maintainers

---
 nixos/modules/services/security/opensnitch.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix
index 7695231226bf..9680974951df 100644
--- a/nixos/modules/services/security/opensnitch.nix
+++ b/nixos/modules/services/security/opensnitch.nix
@@ -251,5 +251,8 @@ in
 
   };
 
-  meta.maintainers = with lib.maintainers; [ onny ];
+  meta.maintainers = with lib.maintainers; [
+    onny
+    grimmauld
+  ];
 }

From 7a048320f73faf90f068344a862accf22c08ea18 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Fri, 29 Aug 2025 18:43:44 +0200
Subject: [PATCH 4/6] nixos/opensnitch: add audit to service if audit backend
 is selected

---
 nixos/modules/services/security/opensnitch.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix
index 9680974951df..26c015a8107e 100644
--- a/nixos/modules/services/security/opensnitch.nix
+++ b/nixos/modules/services/security/opensnitch.nix
@@ -197,10 +197,16 @@ in
       )
     );
 
+    security.auditd = lib.mkIf (cfg.settings.ProcMonitorMethod == "audit") {
+      enable = true;
+      plugins.af_unix.active = true;
+    };
+
     systemd = {
       packages = [ cfg.package ];
       services.opensnitchd = {
         wantedBy = [ "multi-user.target" ];
+        path = lib.optionals (cfg.settings.ProcMonitorMethod == "audit") [ pkgs.audit ];
         serviceConfig = {
           ExecStart =
             let
@@ -210,7 +216,7 @@ in
             in
             [
               ""
-              "${cfg.package}/bin/opensnitchd --config-file ${format.generate "default-config.json" preparedSettings}"
+              "${lib.getExe' cfg.package "opensnitchd"} --config-file ${format.generate "default-config.json" preparedSettings}"
             ];
         };
         preStart = lib.mkIf (cfg.rules != { }) (

From 53b59eeee49b310d7f574002064a3ddd0ab52840 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Fri, 29 Aug 2025 18:44:27 +0200
Subject: [PATCH 5/6] nixos/tests/audit: reduce log level to reduce spam

---
 nixos/tests/opensnitch.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/tests/opensnitch.nix b/nixos/tests/opensnitch.nix
index 4a62bbb1e8c2..14689adf47a4 100644
--- a/nixos/tests/opensnitch.nix
+++ b/nixos/tests/opensnitch.nix
@@ -33,7 +33,7 @@ in
           enable = true;
           settings.DefaultAction = "deny";
           settings.ProcMonitorMethod = m;
-          settings.LogLevel = 0;
+          settings.LogLevel = 1;
         };
       }
     ) monitorMethods
@@ -46,7 +46,7 @@ in
           enable = true;
           settings.DefaultAction = "deny";
           settings.ProcMonitorMethod = m;
-          settings.LogLevel = 0;
+          settings.LogLevel = 1;
           rules = {
             curl = {
               name = "curl";

From 584d4e417ee6f388163f9b2a4a872eec54b49d11 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Fri, 29 Aug 2025 18:45:16 +0200
Subject: [PATCH 6/6] nixos/tests/opensnitch: assert ebpf modules are loaded
 successfully

---
 nixos/tests/opensnitch.nix | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/nixos/tests/opensnitch.nix b/nixos/tests/opensnitch.nix
index 14689adf47a4..0e97717f45bd 100644
--- a/nixos/tests/opensnitch.nix
+++ b/nixos/tests/opensnitch.nix
@@ -71,13 +71,24 @@ in
     server.wait_for_unit("caddy.service")
     server.wait_for_open_port(80)
   ''
-  + lib.concatLines (
-    map (m: ''
-      client_blocked_${m}.wait_for_unit("opensnitchd.service")
-      client_blocked_${m}.fail("curl http://server")
+  + (
+    lib.concatLines (
+      map (m: ''
+        client_blocked_${m}.wait_for_unit("opensnitchd.service")
+        client_blocked_${m}.fail("curl http://server")
 
-      client_allowed_${m}.wait_for_unit("opensnitchd.service")
-      client_allowed_${m}.succeed("curl http://server")
-    '') monitorMethods
+        client_allowed_${m}.wait_for_unit("opensnitchd.service")
+        client_allowed_${m}.succeed("curl http://server")
+      '') monitorMethods
+    )
+    + ''
+      # make sure the kernel modules were actually properly loaded
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
+      client_blocked_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-procs\.o'")
+      client_allowed_ebpf.succeed(r"journalctl -u opensnitchd --grep '\[eBPF\] module loaded: /nix/store/.*/etc/opensnitchd/opensnitch-dns\.o'")
+    ''
   );
 }