update and fix opensnitch

This commit is contained in:
Grimmauld 2025-01-09 13:54:25 +01:00
parent a8f9e7a9c2
commit 553b1863d3
No known key found for this signature in database
12 changed files with 96 additions and 33 deletions

View file

@ -80,7 +80,7 @@ in
};
powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
# powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
services.power-profiles-daemon.enable = false;
services.upower.enable = true;

View file

@ -48,7 +48,10 @@
"pipe-operator"
];
warn-dirty = false;
allowed-users = [ "@wheel" "grimmauld" ];
allowed-users = [
"@wheel"
"grimmauld"
];
};
programs.nh = {

View file

@ -97,6 +97,34 @@ in
};
};
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
@ -339,13 +367,13 @@ in
};
};
vesktop_daemon_allow_udp = mkIf (graphical) {
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
# inherit created;
inherit created;
operator = {
type = "list";
operand = "list";

View file

@ -140,11 +140,11 @@
]
},
"locked": {
"lastModified": 1735943654,
"narHash": "sha256-rXmcRRQfXXYAKOa5IXlrMISTwgScA2Dx04JpONXRA+Q=",
"lastModified": 1736112920,
"narHash": "sha256-MME0HoMWJtk67vW4lop1eTK4//EXJB/hefo6+JbdHZs=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "5edcf7fb24c73ff9665f299461af33fa6171836f",
"rev": "aa7b9944e164d9284939b78d05b8cf8df319a5d5",
"type": "github"
},
"original": {
@ -342,11 +342,11 @@
]
},
"locked": {
"lastModified": 1735774425,
"narHash": "sha256-C73gLFnEh8ZI0uDijUgCDWCd21T6I6tsaWgIBHcfAXg=",
"lastModified": 1736066484,
"narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "5f6aa268e419d053c3d5025da740e390b12ac936",
"rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0",
"type": "github"
},
"original": {
@ -383,11 +383,11 @@
]
},
"locked": {
"lastModified": 1735330405,
"narHash": "sha256-MhXgu1oymyjhhZGY9yewNonJknNAjilzMGPY1FfMR7s=",
"lastModified": 1735931035,
"narHash": "sha256-f3WRxasPYVKzrvAlLq+/3FRHQVfxVf5xxf0WWwnO99k=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "a86d9cf841eff8b33a05d2bf25788abd8e018dbd",
"rev": "7e530766a5fd9b7577296fedd655f3255f7495d8",
"type": "github"
},
"original": {
@ -507,11 +507,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1735834308,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
"lastModified": 1736344531,
"narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65",
"rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github"
},
"original": {

View file

@ -32,10 +32,10 @@
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs";

View file

@ -6,7 +6,7 @@
];
specialisation.unhardened.configuration = { };
services.opensnitch.enable = lib.mkForce false;
# services.opensnitch.enable = lib.mkForce false;
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;

View file

@ -7,7 +7,6 @@
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
@ -18,7 +17,6 @@
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
@ -28,7 +26,6 @@
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
@ -39,7 +36,6 @@
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};

View file

@ -62,6 +62,11 @@ in
config = mkIf (config.specialisation != { }) {
systemd.services = {
opensnitchd.serviceConfig = {
ProtectHome = false;
PrivateTmp = false;
ProtectKernelLogs = false;
};
"user-runtime-dir@".serviceConfig.ProtectHome = false;
"user@".serviceConfig.ProtectHome = false;
systemd-homed.serviceConfig.ProtectHome = false;

View file

@ -11,9 +11,25 @@
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches
RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing
SystemCallFilter = "@system-service @cpu-emulation @mount @privileged";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
"net"
"uts"
"mnt"
"ipc"
"pid"
]; # namespaces needed for sandboxing
SystemCallFilter = [
"@system-service"
"@cpu-emulation"
"@mount"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
@ -23,9 +39,12 @@
ProtectClock = true;
# file system
PrivateTmp = true;
# PrivateTmp = true; # breaks --keep-failed
ProtectSystem = "strict";
ReadWritePaths = "/nix";
ReadWritePaths = [
"/nix"
"/tmp"
];
# Scheduling: only do as much as resources are available
LimitNICE = 1;
@ -37,7 +56,12 @@
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [
"CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE"
"CAP_FOWNER"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SYS_ADMIN"
"CAP_DAC_OVERRIDE"
];
# ProtectKernelLogs=true; # BAD

View file

@ -38,6 +38,7 @@
./ooye.nix
./factorio.nix
./ranger.nix
./opensnitch-ui.nix
# ./ncspot.nix
# ./grpcio-tools.nix
];

View file

@ -0,0 +1,6 @@
{ final, prev, ... }:
{
opensnitch-ui = prev.opensnitch-ui.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs or [ ] ++ [ final.python311Packages.packaging ];
});
}

View file

@ -197,7 +197,7 @@
(getExe' config.hardware.opentabletdriver.package "otd-daemon")
pkgs.swaynotificationcenter
pkgs.networkmanagerapplet
# aw-bundle
aw-bundle
# (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart
];
extraConfig = ''