Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix up some opensnitch rules

Browse Source
This commit is contained in:
Grimmauld 2024-10-12 11:49:48 +02:00
parent 96d240c517
commit 76efedce92
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
2 changed files with 90 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
common/tooling/opensnitch/default.nix
View File

@ -5,7 +5,7 @@
...
}:
let
inherit (config.grimmShared) enable tooling graphical;
inherit (config.grimmShared) enable tooling graphical network;
inherit (lib)
optional
getBin
@ -15,13 +15,20 @@ let
escapeRegex
getVersion
mkIf
filter
split
strings
concatStringsSep
length
isString
;
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
in
{
config = mkIf (enable && tooling.enable) {
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
@ -157,9 +164,9 @@ in
operand = "list";
list = [
{
type = "simple";
type = "regexp";
operand = "dest.port";
data = "443";
data = "443|53";
}
{
type ="regexp";
@ -359,9 +366,9 @@ in
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "simple";
type = "regexp";
operand = "dest.port";
data = "5353";
data = "5353|53";
}
{
type = "simple";
@ -372,6 +379,48 @@ in
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type ="simple";
operand = "dest.port";
data = "547";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
@ -385,12 +434,12 @@ in
type ="simple";
sensitive = false;
operand = "process.path";
data = lib.getExe' pkgs.cups-filters "cups-browsed";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type ="regexp";
operand = "dest.port";
data = "53";
data = "53|631";
}
{
type = "lists";
@ -440,11 +489,29 @@ in
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type ="regexp";
operand = "dest.port";
data = "443|53";
}
];
};
};
};

20
nix/sources.json
View File

@ -5,10 +5,10 @@
"homepage": null,
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "7f7b8a654dac5117db22b97a01d3975acdb359b4",
"sha256": "18prm208issqgfikgahv2xr0hzwkghl2sj3y8aj2xi5x1j4id3sl",
"rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
"sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7",
"type": "tarball",
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/7f7b8a654dac5117db22b97a01d3975acdb359b4.tar.gz",
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"agenix": {
@ -41,10 +41,10 @@
"homepage": "https://nyx.chaotic.cx",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "371ba355dfb49d6c047525d078ee58b65f03e334",
"sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl",
"rev": "d73c548a001f367048d4f22cf2ae626cd2002503",
"sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx",
"type": "tarball",
"url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz",
"url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"glibc-eac": {
@ -68,7 +68,7 @@
"lix-pkg": {
"branch": "main",
"repo": "https://git.lix.systems/lix-project/lix.git",
"rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508",
"rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427",
"type": "git"
},
"nixos-mailserver": {
@ -95,10 +95,10 @@
"homepage": null,
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
"sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"sha256": "0p3ry8x72cl572fs1c47h9y3s045p4aq71wpblzdi4dfqx3z2i7m",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz",
"url": "https://github.com/NixOS/nixpkgs/archive/5633bcff0c6162b9e4b5f1264264611e950c8ec7.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"ranger_udisk_menu": {