diff --git a/common/tooling/default.nix b/common/tooling/default.nix index b1b6d23..9a81bc6 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -26,6 +26,7 @@ in ./wine.nix ./c.nix ./java.nix + ./opensnitch.nix ./ranger.nix ]; diff --git a/common/tooling/opensnitch.nix b/common/tooling/opensnitch.nix new file mode 100644 index 0000000..6cbef99 --- /dev/null +++ b/common/tooling/opensnitch.nix @@ -0,0 +1,200 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) enable tooling graphical; + inherit (lib) + optional + optionals + getBin + getExe + concatLines + getExe' + mkIf + ; + + local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; + local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); +in +{ + config = mkIf (enable && tooling.enable) { + environment.systemPackages = optional graphical pkgs.opensnitch-ui; + grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; + + services.opensnitch = { + enable = true; + settings = { + DefaultAction = "deny"; + Firewall = "iptables"; + LogLevel = 1; + }; + + rules = { + firefox = let + cfg = config.programs.firefox; + pkg = (cfg.package.override (old: { + extraPrefsFiles = + old.extraPrefsFiles or [ ] + ++ cfg.autoConfigFiles + ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; + nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; + cfg = (old.cfg or { }) // cfg.wrapperConfig; + })); + # pkg = pkgs.firefox-unwrapped; + in mkIf (config.programs.firefox.enable) { + name = "firefox"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = "${getBin pkg}/lib/firefox/firefox"; + }; + }; + + nsncd = mkIf (config.services.nscd.enableNsncd) { + name = "nsncd-dns"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = getExe pkgs.nsncd; + } + { + type = "simple"; + operand = "dest.port"; + data = "53"; + list = null; + } + { + type = "lists"; + operand = "lists.nets"; + data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)); + list = null; + } + { + type = "simple"; + operand = "user.id"; + data = "998"; + list = null; + } + ]; + }; + }; + + avahi = mkIf (config.services.avahi.enable) { + name = "avahi"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = getExe' config.services.avahi.package "avahi-daemon"; + } + { + type = "simple"; + operand = "dest.port"; + data = "5353"; + list = null; + } + { + type = "simple"; + operand = "user.id"; + data = "996"; + list = null; + } + ]; + }; + }; + + cups-filters = mkIf (config.services.printing.enable) { + name = "cups-filters"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + list = null; + data = lib.getExe' pkgs.cups-filters "cups-browsed"; + } + { + type ="regexp"; + operand = "dest.port"; + data = "53"; + list = null; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + list = null; + } + ]; + }; + }; + + systemd-timesyncd = mkIf (config.services.timesyncd.enable) { + name = "systemd-timesyncd"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + list = null; + data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; } + { + type ="regexp"; + operand = "dest.port"; + data = "123|37"; + list = null; + } + ]; + }; + }; + + nextcloud = mkIf (config.grimmShared.cloudSync.enable) { + name = "nextcloud"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; + }; + }; + }; + }; + }; +} diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 6f13008..b87b834 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -23,7 +23,8 @@ boot.kernelModules = [ "kvm-intel" ]; boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.kernelPackages = pkgs.linuxPackages_6_10; boot.extraModulePackages = [ ]; boot.kernelParams = [ "mds=full,nosmt" ]; services.homed.enable = true;