diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 9a81bc6..3a1e9f1 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -26,7 +26,7 @@ in ./wine.nix ./c.nix ./java.nix - ./opensnitch.nix + ./opensnitch ./ranger.nix ]; diff --git a/common/tooling/opensnitch.nix b/common/tooling/opensnitch/default.nix similarity index 64% rename from common/tooling/opensnitch.nix rename to common/tooling/opensnitch/default.nix index 6cbef99..ce4337e 100644 --- a/common/tooling/opensnitch.nix +++ b/common/tooling/opensnitch/default.nix @@ -76,24 +76,120 @@ in type = "simple"; operand = "dest.port"; data = "53"; - list = null; } { type = "lists"; operand = "lists.nets"; data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)); - list = null; } { type = "simple"; operand = "user.id"; data = "998"; - list = null; } ]; }; }; + spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + operator = { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + }; + }; + + ncspot = mkIf (config.grimmShared.spotify.enable) { + name = "ncspot"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe pkgs.ncspot; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + + spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow-local"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + } + ]; + }; + }; + avahi = mkIf (config.services.avahi.enable) { name = "avahi"; enabled = true; @@ -113,13 +209,11 @@ in type = "simple"; operand = "dest.port"; data = "5353"; - list = null; } { type = "simple"; operand = "user.id"; data = "996"; - list = null; } ]; }; @@ -138,20 +232,17 @@ in type ="simple"; sensitive = false; operand = "process.path"; - list = null; data = lib.getExe' pkgs.cups-filters "cups-browsed"; } { type ="regexp"; operand = "dest.port"; data = "53"; - list = null; } { type = "lists"; operand = "lists.nets"; data = local_ips; - list = null; } ]; }; @@ -170,13 +261,11 @@ in type ="simple"; sensitive = false; operand = "process.path"; - list = null; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; } { type ="regexp"; operand = "dest.port"; data = "123|37"; - list = null; } ]; }; diff --git a/common/tooling/opensnitch/spotify_hosts/hosts.list b/common/tooling/opensnitch/spotify_hosts/hosts.list new file mode 100644 index 0000000..76d3ceb --- /dev/null +++ b/common/tooling/opensnitch/spotify_hosts/hosts.list @@ -0,0 +1,3 @@ +scdn.co +spotifycdn.com +spotify.com