update and fix opensnitch

2025-01-09 13:54:25 +01:00 · 2025-01-09 13:54:25 +01:00 · 553b1863d3
commit 553b1863d3
parent a8f9e7a9c2
12 changed files with 96 additions and 33 deletions
--- a/common/hardware/tlp.nix
+++ b/common/hardware/tlp.nix
@ -80,7 +80,7 @@ in
    };

    powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
-    powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
+    # powerManagement.cpuFreqGovernor = lib.mkDefault "normal";

    services.power-profiles-daemon.enable = false;
    services.upower.enable = true;
--- a/common/tooling/nix.nix
+++ b/common/tooling/nix.nix
@ -48,7 +48,10 @@
      "pipe-operator"
    ];
    warn-dirty = false;
-    allowed-users = [ "@wheel" "grimmauld" ];
+    allowed-users = [
+      "@wheel"
+      "grimmauld"
+    ];
  };

  programs.nh = {
--- a/common/tooling/opensnitch/default.nix
+++ b/common/tooling/opensnitch/default.nix
@ -97,6 +97,34 @@ in
          };
        };

+        git = {
+          name = "git-allow-all";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          inherit created;
+          operator = {
+            type = "regexp";
+            sensitive = false;
+            operand = "process.path";
+            data = "${lib.escapeRegex pkgs.git.outPath}/.*";
+          };
+        };
+        
+        ssh = {
+          name = "ssh-allow-all";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          inherit created;
+          operator = {
+            type = "regexp";
+            sensitive = false;
+            operand = "process.path";
+            data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
+          };
+        };
+
        nsncd = mkIf (config.services.nscd.enableNsncd) {
          name = "nsncd-dns";
          enabled = true;
@ -339,13 +367,13 @@ in
          };
        };

-        vesktop_daemon_allow_udp = mkIf (graphical) {
+        vesktop_daemon_allow_udp = mkIf graphical {
          name = "vesktop-allow-udp";
          enabled = true;
          action = "allow";
          precedence = true;
          duration = "always";
-          # inherit created;
+          inherit created;
          operator = {
            type = "list";
            operand = "list";
--- a/flake.lock
+++ b/flake.lock
@ -140,11 +140,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735943654,
-        "narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=",
+        "lastModified": 1736112920,
+        "narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "5edcf7fb24c73ff9665f299461af33fa6171836f",
+        "rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5",
        "type": "github"
      },
      "original": {
@ -342,11 +342,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735774425,
-        "narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=",
+        "lastModified": 1736066484,
+        "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5f6aa268e419d053c3d5025da740e390b12ac936",
+        "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0",
        "type": "github"
      },
      "original": {
@ -383,11 +383,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735330405,
-        "narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=",
+        "lastModified": 1735931035,
+        "narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd",
+        "rev": "7e530766a5fd9b7577296fedd655f3255f7495d8",
        "type": "github"
      },
      "original": {
@ -507,11 +507,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1735834308,
-        "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
+        "lastModified": 1736344531,
+        "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6df24922a1400241dae323af55f30e4318a6ca65",
+        "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
        "type": "github"
      },
      "original": {
--- a/hardening/default.nix
+++ b/hardening/default.nix
@ -6,7 +6,7 @@
  ];

  specialisation.unhardened.configuration = { };
-  services.opensnitch.enable = lib.mkForce false;
+  # services.opensnitch.enable = lib.mkForce false;

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
--- a/hardening/systemd/bluetooth.nix
+++ b/hardening/systemd/bluetooth.nix
@ -7,7 +7,6 @@
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = "pid";
-
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
@ -18,7 +17,6 @@
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
-
      PrivateUsers = true;
    };

@ -28,7 +26,6 @@
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = "pid";
-
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
@ -39,7 +36,6 @@
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
-
      PrivateUsers = true;
    };
  };
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@ -62,6 +62,11 @@ in
  config = mkIf (config.specialisation != { }) {

    systemd.services = {
+      opensnitchd.serviceConfig = {
+        ProtectHome = false;
+        PrivateTmp = false;
+        ProtectKernelLogs = false;
+      };
      "user-runtime-dir@".serviceConfig.ProtectHome = false;
      "user@".serviceConfig.ProtectHome = false;
      systemd-homed.serviceConfig.ProtectHome = false;
--- a/hardening/systemd/nix-daemon.nix
+++ b/hardening/systemd/nix-daemon.nix
@ -11,9 +11,25 @@
      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true; # good, somehow???

-      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches
-      RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing
-      SystemCallFilter = "@system-service @cpu-emulation @mount @privileged";
+      RestrictAddressFamilies = [
+        "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+      ]; # needed to download sources and caches
+      RestrictNamespaces = [
+        "user"
+        "net"
+        "uts"
+        "mnt"
+        "ipc"
+        "pid"
+      ]; # namespaces needed for sandboxing
+      SystemCallFilter = [
+        "@system-service"
+        "@cpu-emulation"
+        "@mount"
+        "@privileged"
+      ];

      LockPersonality = true;
      ProtectControlGroups = true;
@ -23,9 +39,12 @@
      ProtectClock = true;

      # file system
-      PrivateTmp = true;
+      # PrivateTmp = true; # breaks --keep-failed
      ProtectSystem = "strict";
-      ReadWritePaths = "/nix";
+      ReadWritePaths = [
+        "/nix"
+        "/tmp"
+      ];

      # Scheduling: only do as much as resources are available
      LimitNICE = 1;
@ -37,7 +56,12 @@
      DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests

      CapabilityBoundingSet = [
-        "CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE"
+        "CAP_FOWNER"
+        "CAP_CHOWN"
+        "CAP_SETUID"
+        "CAP_SETGID"
+        "CAP_SYS_ADMIN"
+        "CAP_DAC_OVERRIDE"
      ];

      # ProtectKernelLogs=true; # BAD
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -38,6 +38,7 @@
        ./ooye.nix
        ./factorio.nix
        ./ranger.nix
+        ./opensnitch-ui.nix
        # ./ncspot.nix
        # ./grpcio-tools.nix
      ];
--- a/overlays/opensnitch-ui.nix
+++ b/overlays/opensnitch-ui.nix
@ -0,0 +1,6 @@
+{ final, prev, ... }:
+{
+  opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
+    propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
+  });
+}
--- a/sway/default.nix
+++ b/sway/default.nix
@ -197,7 +197,7 @@
            (getExe' config.hardware.opentabletdriver.package "otd-daemon")
            pkgs.swaynotificationcenter
            pkgs.networkmanagerapplet
-            #            aw-bundle
+            aw-bundle
            # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart
          ];
        extraConfig = ''