grimm-nixos-laptop/hardening/opensnitch/dns.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared)
    enable
    tooling
    network
    ;
  inherit (lib)
    getExe
    mkIf
    ;

  created = "1970-01-01T00:00:00.0+00:00";

  dnscrypt_proxy_user = "dnscrypt-proxy2";
in
{

  config = mkIf (enable && tooling.enable && network) {
    users.users."${dnscrypt_proxy_user}" = {
      isSystemUser = true;
      group = dnscrypt_proxy_user;
      uid = 991;
    };
    users.groups."${dnscrypt_proxy_user}" = { };

    systemd.services.dnscrypt-proxy2.serviceConfig = {
      DynamicUser = lib.mkForce true;
      User = dnscrypt_proxy_user;
      Group = dnscrypt_proxy_user;
    };

    services.opensnitch.rules = {
      dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
        name = "dnscrypt-proxy";
        enabled = true;
        action = "allow";
        duration = "always";
        inherit created;
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              sensitive = false;
              operand = "process.path";
              data = getExe pkgs.dnscrypt-proxy;
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "53|443|4434|5443|4343";
            }
            #  {
            #    type = "lists";
            #    operand = "lists.nets";
            #    data = pkgs.writeTextDir "cidr_dns.list" (
            #      concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
            #    );
            #  }
            {
              type = "simple";
              operand = "user.id";
              data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
            }
          ];
        };
      };
    };
  };
}
encrypted dns 2025-01-28 19:54:36 +01:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
			`inherit (config.grimmShared)`
			`enable`
			`tooling`
			`network`
			`;`
			`inherit (lib)`
			`getExe`
			`mkIf`
			`;`

			`created = "1970-01-01T00:00:00.0+00:00";`

			`dnscrypt_proxy_user = "dnscrypt-proxy2";`
			`in`
			`{`

			`config = mkIf (enable && tooling.enable && network) {`
			`users.users."${dnscrypt_proxy_user}" = {`
			`isSystemUser = true;`
			`group = dnscrypt_proxy_user;`
			`uid = 991;`
			`};`
			`users.groups."${dnscrypt_proxy_user}" = { };`

			`systemd.services.dnscrypt-proxy2.serviceConfig = {`
			`DynamicUser = lib.mkForce true;`
			`User = dnscrypt_proxy_user;`
			`Group = dnscrypt_proxy_user;`
			`};`

			`services.opensnitch.rules = {`
			`dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {`
			`name = "dnscrypt-proxy";`
			`enabled = true;`
			`action = "allow";`
			`duration = "always";`
			`inherit created;`
			`operator = {`
			`type = "list";`
			`operand = "list";`
			`list = [`
			`{`
			`type = "simple";`
			`sensitive = false;`
			`operand = "process.path";`
			`data = getExe pkgs.dnscrypt-proxy;`
			`}`
			`{`
			`type = "regexp";`
			`operand = "dest.port";`
dbus-broker hardening, acpid fixes 2025-01-28 23:59:41 +01:00			`data = "53\|443\|4434\|5443\|4343";`
encrypted dns 2025-01-28 19:54:36 +01:00			`}`
			`# {`
			`# type = "lists";`
			`# operand = "lists.nets";`
			`# data = pkgs.writeTextDir "cidr_dns.list" (`
			`# concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)`
			`# );`
			`# }`
			`{`
			`type = "simple";`
			`operand = "user.id";`
			`data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);`
			`}`
			`];`
			`};`
			`};`
			`};`
			`};`
			`}`