fix up some opensnitch rules
This commit is contained in:
parent
96d240c517
commit
76efedce92
@ -5,7 +5,7 @@
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.grimmShared) enable tooling graphical;
|
||||
inherit (config.grimmShared) enable tooling graphical network;
|
||||
inherit (lib)
|
||||
optional
|
||||
getBin
|
||||
@ -15,13 +15,20 @@ let
|
||||
escapeRegex
|
||||
getVersion
|
||||
mkIf
|
||||
|
||||
filter
|
||||
split
|
||||
strings
|
||||
concatStringsSep
|
||||
length
|
||||
isString
|
||||
;
|
||||
|
||||
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
|
||||
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
|
||||
in
|
||||
{
|
||||
config = mkIf (enable && tooling.enable) {
|
||||
config = mkIf (enable && tooling.enable && network) {
|
||||
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
|
||||
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
|
||||
|
||||
@ -157,9 +164,9 @@ in
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type = "simple";
|
||||
type = "regexp";
|
||||
operand = "dest.port";
|
||||
data = "443";
|
||||
data = "443|53";
|
||||
}
|
||||
{
|
||||
type ="regexp";
|
||||
@ -359,9 +366,9 @@ in
|
||||
data = getExe' config.services.avahi.package "avahi-daemon";
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
type = "regexp";
|
||||
operand = "dest.port";
|
||||
data = "5353";
|
||||
data = "5353|53";
|
||||
}
|
||||
{
|
||||
type = "simple";
|
||||
@ -372,6 +379,48 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
icmp = {
|
||||
name = "icmp";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type ="regexp";
|
||||
operand = "protocol";
|
||||
sensitive = false;
|
||||
data = "icmp(4|6)?";
|
||||
};
|
||||
};
|
||||
|
||||
network-manager = mkIf (config.networking.networkmanager.enable) {
|
||||
name = "network-manager";
|
||||
enabled = true;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = getExe' pkgs.networkmanager "networkmanager";
|
||||
}
|
||||
{
|
||||
type ="simple";
|
||||
operand = "dest.port";
|
||||
data = "547";
|
||||
}
|
||||
# {
|
||||
# type ="simple";
|
||||
# operand = "dest.network";
|
||||
# data = "ff02::1:2";
|
||||
# }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
cups-filters = mkIf (config.services.printing.enable) {
|
||||
name = "cups-filters";
|
||||
enabled = true;
|
||||
@ -385,12 +434,12 @@ in
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = lib.getExe' pkgs.cups-filters "cups-browsed";
|
||||
data = getExe' pkgs.cups-filters "cups-browsed";
|
||||
}
|
||||
{
|
||||
type ="regexp";
|
||||
operand = "dest.port";
|
||||
data = "53";
|
||||
data = "53|631";
|
||||
}
|
||||
{
|
||||
type = "lists";
|
||||
@ -441,10 +490,28 @@ in
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "list";
|
||||
operand = "list";
|
||||
list = [
|
||||
{
|
||||
type ="simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
|
||||
}
|
||||
{
|
||||
type = "regexp";
|
||||
sensitive = false;
|
||||
operand = "dest.host";
|
||||
data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
|
||||
# config.grimmShared.cloudSync.server;
|
||||
}
|
||||
{
|
||||
type ="regexp";
|
||||
operand = "dest.port";
|
||||
data = "443|53";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -5,10 +5,10 @@
|
||||
"homepage": null,
|
||||
"owner": "ezKEa",
|
||||
"repo": "aagl-gtk-on-nix",
|
||||
"rev": "7f7b8a654dac5117db22b97a01d3975acdb359b4",
|
||||
"sha256": "18prm208issqgfikgahv2xr0hzwkghl2sj3y8aj2xi5x1j4id3sl",
|
||||
"rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
|
||||
"sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/7f7b8a654dac5117db22b97a01d3975acdb359b4.tar.gz",
|
||||
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"agenix": {
|
||||
@ -41,10 +41,10 @@
|
||||
"homepage": "https://nyx.chaotic.cx",
|
||||
"owner": "chaotic-cx",
|
||||
"repo": "nyx",
|
||||
"rev": "371ba355dfb49d6c047525d078ee58b65f03e334",
|
||||
"sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl",
|
||||
"rev": "d73c548a001f367048d4f22cf2ae626cd2002503",
|
||||
"sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz",
|
||||
"url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"glibc-eac": {
|
||||
@ -68,7 +68,7 @@
|
||||
"lix-pkg": {
|
||||
"branch": "main",
|
||||
"repo": "https://git.lix.systems/lix-project/lix.git",
|
||||
"rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508",
|
||||
"rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427",
|
||||
"type": "git"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
@ -95,10 +95,10 @@
|
||||
"homepage": null,
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
|
||||
"sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l",
|
||||
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
|
||||
"sha256": "0p3ry8x72cl572fs1c47h9y3s045p4aq71wpblzdi4dfqx3z2i7m",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/5633bcff0c6162b9e4b5f1264264611e950c8ec7.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"ranger_udisk_menu": {
|
||||
|
Loading…
Reference in New Issue
Block a user