Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

opensnitch progress

Browse Source
This commit is contained in:
Grimmauld 2024-10-05 12:11:14 +02:00
parent bbc39ddae8
commit 722c6f8e86
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
3 changed files with 203 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
common/tooling/default.nix
View File

@ -26,6 +26,7 @@ in
./wine.nix ./wine.nix
./c.nix ./c.nix
./java.nix ./java.nix
./opensnitch.nix
./ranger.nix ./ranger.nix
]; ];

200
common/tooling/opensnitch.nix Normal file
View File

@ -0,0 +1,200 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optional
optionals
getBin
getExe
concatLines
getExe'
mkIf
;
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = "iptables";
LogLevel = 1;
};
rules = {
firefox = let
cfg = config.programs.firefox;
pkg = (cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
}));
# pkg = pkgs.firefox-unwrapped;
in mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
list = null;
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network));
list = null;
}
{
type = "simple";
operand = "user.id";
data = "998";
list = null;
}
];
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "simple";
operand = "dest.port";
data = "5353";
list = null;
}
{
type = "simple";
operand = "user.id";
data = "996";
list = null;
}
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
list = null;
data = lib.getExe' pkgs.cups-filters "cups-browsed";
}
{
type ="regexp";
operand = "dest.port";
data = "53";
list = null;
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
list = null;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
list = null;
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; }
{
type ="regexp";
operand = "dest.port";
data = "123|37";
list = null;
}
];
};
};
nextcloud = mkIf (config.grimmShared.cloudSync.enable) {
name = "nextcloud";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
};
};
};
};
};
}

3
specific/grimm-nixos-ssd/hardware-configuration.nix
View File

@ -23,7 +23,8 @@
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8"; networking.hostId = "40fa5ea8";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_10;
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelParams = [ "mds=full,nosmt" ]; boot.kernelParams = [ "mds=full,nosmt" ];
services.homed.enable = true; services.homed.enable = true;