opensnitch progress
This commit is contained in:
parent
bbc39ddae8
commit
722c6f8e86
GPG Key ID:
C2946668769F91FB
@ -26,6 +26,7 @@ in
|
||||
./wine.nix
|
||||
./c.nix
|
||||
./java.nix
|
||||
./opensnitch.nix
|
||||
./ranger.nix
|
||||
];
|
||||
|
||||
|
||||
200
common/tooling/opensnitch.nix
Normal file
200
common/tooling/opensnitch.nix
Normal file
@ -0,0 +1,200 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.grimmShared) enable tooling graphical;
|
||||
inherit (lib)
|
||||
optional
|
||||
optionals
|
||||
getBin
|
||||
getExe
|
||||
concatLines
|
||||
getExe'
|
||||
mkIf
|
||||
;
|
||||
|
||||
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
|
||||
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
|
||||
in
|
||||
{
|
||||
config = mkIf (enable && tooling.enable) {
|
||||
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
|
||||
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
|
||||
|
||||
services.opensnitch = {
|
||||
enable = true;
|
||||
settings = {
|
||||
DefaultAction = "deny";
|
||||
Firewall = "iptables";
|
||||
LogLevel = 1;
|
||||
};
|
||||
|
||||
rules = {
|
||||
firefox = let
|
||||
cfg = config.programs.firefox;
|
||||
pkg = (cfg.package.override (old: {
|
||||
extraPrefsFiles =
|
||||
old.extraPrefsFiles or [ ]
|
||||
++ cfg.autoConfigFiles
|
||||
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
|
||||
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
|
||||
cfg = (old.cfg or { }) // cfg.wrapperConfig;
|
||||
}));
|
||||
# pkg = pkgs.firefox-unwrapped;
|
||||
in mkIf (config.programs.firefox.enable) {
|
||||
name = "firefox";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = "${getBin pkg}/lib/firefox/firefox";
|
||||
};
|
||||
};
|
||||
|
||||
nsncd = mkIf (config.services.nscd.enableNsncd) {
|
||||
name = "nsncd-dns";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = getExe pkgs.nsncd;
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
operand = "dest.port";
|
||||
data = "53";
|
||||
list = null;
|
||||
}
|
||||
{
|
||||
type = "lists";
|
||||
operand = "lists.nets";
|
||||
data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network));
|
||||
list = null;
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
operand = "user.id";
|
||||
data = "998";
|
||||
list = null;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
avahi = mkIf (config.services.avahi.enable) {
|
||||
name = "avahi";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = getExe' config.services.avahi.package "avahi-daemon";
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
operand = "dest.port";
|
||||
data = "5353";
|
||||
list = null;
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
operand = "user.id";
|
||||
data = "996";
|
||||
list = null;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
cups-filters = mkIf (config.services.printing.enable) {
|
||||
name = "cups-filters";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
list = null;
|
||||
data = lib.getExe' pkgs.cups-filters "cups-browsed";
|
||||
}
|
||||
{
|
||||
type ="regexp";
|
||||
operand = "dest.port";
|
||||
data = "53";
|
||||
list = null;
|
||||
}
|
||||
{
|
||||
type = "lists";
|
||||
operand = "lists.nets";
|
||||
data = local_ips;
|
||||
list = null;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
|
||||
name = "systemd-timesyncd";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
list = null;
|
||||
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; }
|
||||
{
|
||||
type ="regexp";
|
||||
operand = "dest.port";
|
||||
data = "123|37";
|
||||
list = null;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nextcloud = mkIf (config.grimmShared.cloudSync.enable) {
|
||||
name = "nextcloud";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@ -23,7 +23,8 @@
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.supportedFilesystems.zfs = true;
|
||||
networking.hostId = "40fa5ea8";
|
||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_10;
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.kernelParams = [ "mds=full,nosmt" ];
|
||||
services.homed.enable = true;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user