NixOS · domenkozar · Mar 18, 2025 · Mar 17, 2025
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -198,6 +198,8 @@
 
 - [Orthanc](https://orthanc.uclouvain.be/) a lightweight, RESTful DICOM server for healthcare and medical research. Available as [services.orthanc](#opt-services.orthanc.enable).
 
+- [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable)
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1401,6 +1401,7 @@
   ./services/security/oauth2-proxy.nix
   ./services/security/oauth2-proxy-nginx.nix
   ./services/security/opensnitch.nix
+  ./services/security/paretosecurity.nix
   ./services/security/pass-secret-service.nix
   ./services/security/physlock.nix
   ./services/security/shibboleth-sp.nix

diff --git a/nixos/modules/services/security/paretosecurity.nix b/nixos/modules/services/security/paretosecurity.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  options.services.paretosecurity = {
+    enable = lib.mkEnableOption "[ParetoSecurity](https://paretosecurity.com) [agent](https://github.com/ParetoSecurity/agent) and its root helper";
+    package = lib.mkPackageOption pkgs "paretosecurity" { };
+  };
+
+  config = lib.mkIf config.services.paretosecurity.enable {
+    environment.systemPackages = [ config.services.paretosecurity.package ];
+
+    systemd.sockets."paretosecurity" = {
+      wantedBy = [ "sockets.target" ];
+      socketConfig = {
+        ListenStream = "/var/run/paretosecurity.sock";
+        SocketMode = "0666";
+      };
+    };
+
+    systemd.services."paretosecurity" = {
+      serviceConfig = {
+        ExecStart = "${config.services.paretosecurity.package}/bin/paretosecurity helper";
+        User = "root";
+        Group = "root";
+        StandardInput = "socket";
+        Type = "oneshot";
+        RemainAfterExit = "no";
+        StartLimitInterval = "1s";
+        StartLimitBurst = 100;
+        ProtectSystem = "full";
+        ProtectHome = true;
+        StandardOutput = "journal";
+        StandardError = "journal";
+      };
+    };
+
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -895,6 +895,7 @@ in {
   pam-u2f = handleTest ./pam/pam-u2f.nix {};
   pam-ussh = handleTest ./pam/pam-ussh.nix {};
   pam-zfs-key = handleTest ./pam/zfs-key.nix {};
+  paretosecurity = runTest ./paretosecurity.nix;
   pass-secret-service = handleTest ./pass-secret-service.nix {};
   patroni = handleTestOn ["x86_64-linux"] ./patroni.nix {};
   pantalaimon = handleTest ./matrix/pantalaimon.nix {};

diff --git a/nixos/tests/paretosecurity.nix b/nixos/tests/paretosecurity.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+{
+  name = "paretosecurity";
+  meta.maintainers = [ lib.maintainers.zupo ];
+
+  nodes.machine =
+    { config, pkgs, ... }:
+    {
+      services.paretosecurity.enable = true;
+    };
+
+  # very basic test for now, need to add output asserts
+  testScript = ''
+    machine.wait_until_succeeds("paretosecurity check")
+  '';
+}
diff --git a/pkgs/by-name/pa/paretosecurity/package.nix b/pkgs/by-name/pa/paretosecurity/package.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  testers,
+  paretosecurity,
+  nixosTests,
+}:
+
+buildGoModule rec {
+  pname = "paretosecurity";
+  version = "0.0.86";
+
+  src = fetchFromGitHub {
+    owner = "ParetoSecurity";
+    repo = "agent";
+    rev = version;
+    hash = "sha256-ASWECYUfG+lmkvAwQf05mCUwwFlUrx3vI0pYbGHdbuI=";
+  };
+
+  # tests do network access, fix pending
+  doCheck = false;
+
+  vendorHash = "sha256-eqwrCbDKmXOCo0+X8w6Me2aaCQ3WQljgOtzqI01FzbU=";
+  proxyVendor = true;
+
+  subPackages = [
+    "cmd/paretosecurity"
+  ];
+
+  ldflags = [
+    "-s"
+    "-X=github.com/ParetoSecurity/agent/shared.Version=${version}"
+    "-X=github.com/ParetoSecurity/agent/shared.Commit=${src.rev}"
+    "-X=github.com/ParetoSecurity/agent/shared.Date=1970-01-01T00:00:00Z"
+  ];
+
+  passthru.tests = {
+    version = testers.testVersion {
+      version = "${version}";
+      package = paretosecurity;
+    };
+    integration_test = nixosTests.paretosecurity;
+  };
+
+  meta = {
+    description = "Pareto Security agent makes sure your laptop is correctly configured for security.";
+    longDescription = ''
+      The Pareto Security agent is a free and open source app to help you make
+      sure that your laptop is configured for security.
+
+      By default, it's a CLI command that prints out a report on basic security
+      settings such as if you have disk encryption and firewall enabled.
+
+      If you use the `services.paretosecurity` NixOS module, you also get a
+      root helper, so that you can run the checker in userspace. Some checks
+      require root permissions, and the checker asks the helper to run those.
+
+      Additionally, you can run `paretosecurity link` to configure the agent
+      to send the status of checks to https://dash.paretosecurity.com to make
+      compliance people happy. No sending happens until your device is linked.
+    '';
+    homepage = "https://github.com/ParetoSecurity/agent";
+    license = lib.licenses.gpl3Only;
+    maintainers = with lib.maintainers; [ zupo ];
+    mainProgram = "paretosecurity";
+  };
+}