diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index dcdae03..11daf60 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -8,11 +8,12 @@ let inherit (config.grimmShared) enable tooling graphical; inherit (lib) optional - optionals getBin getExe concatLines getExe' + escapeRegex + getVersion mkIf ; @@ -216,6 +217,87 @@ in }; }; + vesktop_deny = mkIf (graphical) { + name = "vesktop-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + operator = { + type ="regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + }; + }; + + vesktop_allow = mkIf (graphical) { + name = "vesktop-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; + }; + }; + + vesktop_daemon_deny = mkIf (graphical) { + name = "vesktop-daemon-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + operator = { + type ="regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + }; + }; + + + vesktop_daemon_allow = mkIf (graphical) { + name = "vesktop-daemon-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; + }; + }; + + + avahi = mkIf (config.services.avahi.enable) { name = "avahi"; enabled = true; diff --git a/common/tooling/opensnitch/discord_hosts/hosts.list b/common/tooling/opensnitch/discord_hosts/hosts.list new file mode 100644 index 0000000..ba4e398 --- /dev/null +++ b/common/tooling/opensnitch/discord_hosts/hosts.list @@ -0,0 +1,11 @@ +cloudflare.com +discordapp.com +discordapp.net +discord.gg +discord.com +vencord.dev + +github.com +githubusercontent.com +scdn.co +spotify.com diff --git a/overlays/vesktop.nix b/overlays/vesktop.nix new file mode 100644 index 0000000..61765b7 --- /dev/null +++ b/overlays/vesktop.nix @@ -0,0 +1,6 @@ +{ prev, ... }: +{ + vesktop = prev.vesktop.override { + withTTS = false; + }; +}