grimm-nixos-laptop/hardening/opensnitch/default.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    graphical
    network
    ;
  inherit (lib)
    optional
    mkIf
    ;

in
{
  imports = [
    ./vesktop.nix
    ./nix.nix
    ./spotify.nix
    ./global.nix
    ./time.nix
    ./osu.nix
    ./cups.nix
    ./network_support.nix
    ./firefox.nix
    ./tooling.nix
    ./dns.nix
  ];

  config = mkIf (enable && tooling.enable && network) {
    environment.systemPackages = optional graphical pkgs.opensnitch-ui;
    grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
    networking.nftables.enable = true;

    # security.audit.enable = true;
    systemd.services.opensnitchd.path = lib.optional (
      config.services.opensnitch.settings.ProcMonitorMethod == "audit"
    ) pkgs.audit.bin;

    services.opensnitch = {
      enable = true;
      settings = {
        DefaultAction = "deny";
        Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
        ProcMonitorMethod = "ftrace";
        # ProcMonitorMethod = "audit";
      };
    };
  };
}
opensnitch progress 2024-10-05 12:11:14 +02:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
tooling fixes 2024-11-23 17:06:12 +01:00			`inherit (config.grimmShared)`
			`enable`
			`tooling`
			`graphical`
			`network`
			`;`
opensnitch progress 2024-10-05 12:11:14 +02:00			`inherit (lib)`
			`optional`
			`mkIf`
			`;`

			`in`
			`{`
split opensnitch rules 2025-01-27 11:04:23 +01:00			`imports = [`
			`./vesktop.nix`
			`./nix.nix`
			`./spotify.nix`
			`./global.nix`
			`./time.nix`
			`./osu.nix`
			`./cups.nix`
			`./network_support.nix`
			`./firefox.nix`
			`./tooling.nix`
encrypted dns 2025-01-28 19:54:36 +01:00			`./dns.nix`
split opensnitch rules 2025-01-27 11:04:23 +01:00			`];`

fix up some opensnitch rules 2024-10-12 11:49:48 +02:00			`config = mkIf (enable && tooling.enable && network) {`
opensnitch progress 2024-10-05 12:11:14 +02:00			`environment.systemPackages = optional graphical pkgs.opensnitch-ui;`
			`grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;`
improve hardening rules 2025-01-11 11:54:34 +01:00			`networking.nftables.enable = true;`
tooling fixes 2024-11-23 17:06:12 +01:00
improve hardening rules 2025-01-11 11:54:34 +01:00			`# security.audit.enable = true;`
improve getty coverage 2025-01-11 14:41:03 +01:00			`systemd.services.opensnitchd.path = lib.optional (`
			`config.services.opensnitch.settings.ProcMonitorMethod == "audit"`
			`) pkgs.audit.bin;`

opensnitch progress 2024-10-05 12:11:14 +02:00			`services.opensnitch = {`
			`enable = true;`
			`settings = {`
			`DefaultAction = "deny";`
improve hardening rules 2025-01-11 11:54:34 +01:00			`Firewall = if config.networking.nftables.enable then "nftables" else "iptables";`
nosuid and nodev 2024-12-29 14:17:01 +01:00			`ProcMonitorMethod = "ftrace";`
protect user home by default and more hardening 2025-01-01 13:39:44 +01:00			`# ProcMonitorMethod = "audit";`
opensnitch progress 2024-10-05 12:11:14 +02:00			`};`
			`};`
			`};`
			`}`