diff --git a/hardening/opensnitch/cups.nix b/hardening/opensnitch/cups.nix new file mode 100644 index 0000000..a54d9cc --- /dev/null +++ b/hardening/opensnitch/cups.nix @@ -0,0 +1,92 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + concatLines + getExe' + mkIf + ; + + local_network = [ + "192.168.0.0/16" + "10.0.0.0/8" + "172.16.0.0/12" + "fc00::/7" + ]; + local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + avahi = mkIf (config.services.avahi.enable) { + name = "avahi"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' config.services.avahi.package "avahi-daemon"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "5353|53"; + } + { + type = "simple"; + operand = "user.id"; + data = "996"; + } + ]; + }; + }; + cups-filters = mkIf (config.services.printing.enable) { + name = "cups-filters"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.cups-filters "cups-browsed"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|631|80"; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + } + ]; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix index 8c9f30b..5126bd0 100644 --- a/hardening/opensnitch/default.nix +++ b/hardening/opensnitch/default.nix @@ -13,33 +13,24 @@ let ; inherit (lib) optional - getBin - getExe - concatLines - getExe' - escapeRegex - getVersion mkIf - - filter - split - strings - concatStringsSep - length - isString ; - local_network = [ - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" - "fc00::/7" - ]; - local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); - - created = "1970-01-01T00:00:00.0+00:00"; in { + imports = [ + ./vesktop.nix + ./nix.nix + ./spotify.nix + ./global.nix + ./time.nix + ./osu.nix + ./cups.nix + ./network_support.nix + ./firefox.nix + ./tooling.nix + ]; + config = mkIf (enable && tooling.enable && network) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; @@ -58,633 +49,6 @@ in ProcMonitorMethod = "ftrace"; # ProcMonitorMethod = "audit"; }; - - rules = { - firefox = - let - cfg = config.programs.firefox; - pkg = ( - cfg.package.override (old: { - extraPrefsFiles = - old.extraPrefsFiles or [ ] - ++ cfg.autoConfigFiles - ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; - nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; - cfg = (old.cfg or { }) // cfg.wrapperConfig; - }) - ); - in - # pkg = pkgs.firefox-unwrapped; - mkIf (config.programs.firefox.enable) { - name = "firefox"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${getBin pkg}/lib/firefox/firefox"; - }; - }; - - block-list = { - name = "block-list"; - action = "deny"; - enabled = true; - duration = "always"; - inherit created; - operator = { - type = "lists"; - operand = "lists.domains"; - data = pkgs.callPackage ./block_lists.nix { }; - }; - }; - - git = { - name = "git-allow-all"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "${lib.escapeRegex pkgs.git.outPath}/.*"; - }; - }; - - ssh = { - name = "ssh-allow-all"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; - }; - }; - - nsncd = mkIf (config.services.nscd.enableNsncd) { - name = "nsncd-dns"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe pkgs.nsncd; - } - { - type = "simple"; - operand = "dest.port"; - data = "53"; - } - { - type = "lists"; - operand = "lists.nets"; - data = pkgs.writeTextDir "cidr_dns.list" ( - concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) - ); - } - { - type = "simple"; - operand = "user.id"; - data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); - } - ]; - }; - }; - - nix-index = { - name = "nix-index"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.nix-index-unwrapped "nix-index"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|443"; - } - { - type = "simple"; - sensitive = false; - operand = "dest.host"; - data = "cache.nixos.org"; - } - - ]; - }; - }; - - nix = { - name = "nix"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe config.nix.package; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|443"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(channels|cache)\\.nixos\\.org"; - } - - ]; - }; - }; - - localhost = { - name = "localhost"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "dest.ip"; - data = "^(127\\.0\\.0\\.1|::1)$"; - }; - }; - - spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - }; - }; - - osu_deny = mkIf (config.grimmShared.gaming && graphical) { - name = "osu-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; - }; - }; - - osu_allow = mkIf (config.grimmShared.gaming && graphical) { - name = "osu-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|53"; - } - { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(api\.github\.com)|((.+\.)?ppy\.sh)"; - } - ]; - }; - }; - - ncspot = mkIf (config.grimmShared.spotify.enable) { - name = "ncspot"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|4070"; - } - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = lib.getExe pkgs.ncspot; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./spotify_hosts; - } - ]; - }; - }; - - spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-allow"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|4070"; - } - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./spotify_hosts; - } - ]; - }; - }; - - spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-allow-local"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - } - { - type = "lists"; - operand = "lists.nets"; - data = local_ips; - } - ]; - }; - }; - - vesktop_deny = mkIf (graphical) { - name = "vesktop-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; - }; - }; - - vesktop_allow = mkIf (graphical) { - name = "vesktop-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./discord_hosts; - } - ]; - }; - }; - - vesktop_daemon_allow_udp = mkIf graphical { - name = "vesktop-allow-udp"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - } - { - type = "simple"; - operand = "protocol"; - data = "udp"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "500[0-9]{2}"; - } - ]; - }; - }; - - vesktop_daemon_deny = mkIf (graphical) { - name = "vesktop-daemon-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - }; - }; - - vesktop_daemon_allow = mkIf (graphical) { - name = "vesktop-daemon-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./discord_hosts; - } - ]; - }; - }; - - avahi = mkIf (config.services.avahi.enable) { - name = "avahi"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' config.services.avahi.package "avahi-daemon"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "5353|53"; - } - { - type = "simple"; - operand = "user.id"; - data = "996"; - } - ]; - }; - }; - - icmp = { - name = "icmp"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - operand = "protocol"; - sensitive = false; - data = "icmp(4|6)?"; - }; - }; - - network-manager = mkIf (config.networking.networkmanager.enable) { - name = "network-manager"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.networkmanager "networkmanager"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "547|67"; - } - # { - # type ="simple"; - # operand = "dest.network"; - # data = "ff02::1:2"; - # } - ]; - }; - }; - - cups-filters = mkIf (config.services.printing.enable) { - name = "cups-filters"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.cups-filters "cups-browsed"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|631|80"; - } - { - type = "lists"; - operand = "lists.nets"; - data = local_ips; - } - ]; - }; - }; - - systemd-timesyncd = mkIf (config.services.timesyncd.enable) { - name = "systemd-timesyncd"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "123|37|53"; - } - # { - # type = "regexp"; - # sensitive = false; - # operand = "dest.host"; - # data = ".*\.nixos\.pool\.ntp\.org"; - # } - { - type = "simple"; - operand = "user.id"; - data = "154"; - } - ]; - }; - }; - - nextcloud = mkIf (false) { - # config.grimmShared.cloudSync.enable - name = "nextcloud"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = - let - l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); - in - (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l); - # config.grimmShared.cloudSync.server; - } - { - type = "regexp"; - operand = "dest.port"; - data = "443|53"; - } - ]; - }; - }; - }; }; }; } diff --git a/hardening/opensnitch/firefox.nix b/hardening/opensnitch/firefox.nix new file mode 100644 index 0000000..19d6fd1 --- /dev/null +++ b/hardening/opensnitch/firefox.nix @@ -0,0 +1,54 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + getBin + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + firefox = + let + cfg = config.programs.firefox; + pkg = ( + cfg.package.override (old: { + extraPrefsFiles = + old.extraPrefsFiles or [ ] + ++ cfg.autoConfigFiles + ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; + nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; + cfg = (old.cfg or { }) // cfg.wrapperConfig; + }) + ); + in + # pkg = pkgs.firefox-unwrapped; + mkIf (config.programs.firefox.enable) { + name = "firefox"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${getBin pkg}/lib/firefox/firefox"; + }; + }; + + }; + }; +} diff --git a/hardening/opensnitch/global.nix b/hardening/opensnitch/global.nix new file mode 100644 index 0000000..4760b64 --- /dev/null +++ b/hardening/opensnitch/global.nix @@ -0,0 +1,62 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) mkIf; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + + block-list = { + name = "block-list"; + action = "deny"; + enabled = true; + duration = "always"; + inherit created; + operator = { + type = "lists"; + operand = "lists.domains"; + data = pkgs.callPackage ./block_lists.nix { }; + }; + }; + localhost = { + name = "localhost"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "dest.ip"; + data = "^(127\\.0\\.0\\.1|::1)$"; + }; + }; + icmp = { + name = "icmp"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + operand = "protocol"; + sensitive = false; + data = "icmp(4|6)?"; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/network_support.nix b/hardening/opensnitch/network_support.nix new file mode 100644 index 0000000..138c46c --- /dev/null +++ b/hardening/opensnitch/network_support.nix @@ -0,0 +1,100 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + getExe + concatLines + getExe' + mkIf + ; + + local_network = [ + "192.168.0.0/16" + "10.0.0.0/8" + "172.16.0.0/12" + "fc00::/7" + ]; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + nsncd = mkIf (config.services.nscd.enableNsncd) { + name = "nsncd-dns"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe pkgs.nsncd; + } + { + type = "simple"; + operand = "dest.port"; + data = "53"; + } + { + type = "lists"; + operand = "lists.nets"; + data = pkgs.writeTextDir "cidr_dns.list" ( + concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) + ); + } + { + type = "simple"; + operand = "user.id"; + data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); + } + ]; + }; + }; + network-manager = mkIf (config.networking.networkmanager.enable) { + name = "network-manager"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.networkmanager "networkmanager"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "547|67"; + } + # { + # type ="simple"; + # operand = "dest.network"; + # data = "ff02::1:2"; + # } + ]; + }; + }; + + }; + }; +} diff --git a/hardening/opensnitch/nix.nix b/hardening/opensnitch/nix.nix new file mode 100644 index 0000000..d5e7f70 --- /dev/null +++ b/hardening/opensnitch/nix.nix @@ -0,0 +1,87 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + getExe + getExe' + mkIf + ; + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + nix-index = { + name = "nix-index"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nix-index-unwrapped "nix-index"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "simple"; + sensitive = false; + operand = "dest.host"; + data = "cache.nixos.org"; + } + ]; + }; + }; + + nix = { + name = "nix"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = getExe config.nix.package; + } + { + type = "regexp"; + operand = "dest.port"; + data = "53|443"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = "(channels|cache)\\.nixos\\.org"; + } + + ]; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/osu.nix b/hardening/opensnitch/osu.nix new file mode 100644 index 0000000..efe392d --- /dev/null +++ b/hardening/opensnitch/osu.nix @@ -0,0 +1,73 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + graphical + network + ; + inherit (lib) + escapeRegex + getVersion + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + osu_deny = mkIf (config.grimmShared.gaming && graphical) { + name = "osu-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; + }; + }; + + osu_allow = mkIf (config.grimmShared.gaming && graphical) { + name = "osu-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|53"; + } + { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = "(api\.github\.com)|((.+\.)?ppy\.sh)"; + } + ]; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/spotify.nix b/hardening/opensnitch/spotify.nix new file mode 100644 index 0000000..317d310 --- /dev/null +++ b/hardening/opensnitch/spotify.nix @@ -0,0 +1,135 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + graphical + network + ; + inherit (lib) + concatLines + mkIf + ; + + local_network = [ + "192.168.0.0/16" + "10.0.0.0/8" + "172.16.0.0/12" + "fc00::/7" + ]; + local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + + spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + }; + }; + ncspot = mkIf (config.grimmShared.spotify.enable) { + name = "ncspot"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = lib.getExe pkgs.ncspot; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + operand = "dest.port"; + data = "443|4070"; + } + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./spotify_hosts; + } + ]; + }; + }; + + spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { + name = "spotify-allow-local"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; + } + { + type = "lists"; + operand = "lists.nets"; + data = local_ips; + } + ]; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/time.nix b/hardening/opensnitch/time.nix new file mode 100644 index 0000000..33c2911 --- /dev/null +++ b/hardening/opensnitch/time.nix @@ -0,0 +1,60 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + + systemd-timesyncd = mkIf (config.services.timesyncd.enable) { + name = "systemd-timesyncd"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "simple"; + sensitive = false; + operand = "process.path"; + data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "123|37|53"; + } + # { + # type = "regexp"; + # sensitive = false; + # operand = "dest.host"; + # data = ".*\.nixos\.pool\.ntp\.org"; + # } + { + type = "simple"; + operand = "user.id"; + data = "154"; + } + ]; + }; + }; + }; + }; +} diff --git a/hardening/opensnitch/tooling.nix b/hardening/opensnitch/tooling.nix new file mode 100644 index 0000000..3fb13c8 --- /dev/null +++ b/hardening/opensnitch/tooling.nix @@ -0,0 +1,52 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) + enable + tooling + network + ; + inherit (lib) + mkIf + ; + + created = "1970-01-01T00:00:00.0+00:00"; +in +{ + config = mkIf (enable && tooling.enable && network) { + services.opensnitch.rules = { + git = { + name = "git-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.git.outPath}/.*"; + }; + }; + + ssh = { + name = "ssh-allow-all"; + enabled = true; + action = "allow"; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.path"; + data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; + }; + }; + + }; + }; +} diff --git a/hardening/opensnitch/vesktop.nix b/hardening/opensnitch/vesktop.nix index 8c9f30b..7da2e9e 100644 --- a/hardening/opensnitch/vesktop.nix +++ b/hardening/opensnitch/vesktop.nix @@ -12,679 +12,129 @@ let network ; inherit (lib) - optional - getBin - getExe - concatLines - getExe' escapeRegex getVersion mkIf - - filter - split - strings - concatStringsSep - length - isString ; - - local_network = [ - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" - "fc00::/7" - ]; - local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); - created = "1970-01-01T00:00:00.0+00:00"; in { config = mkIf (enable && tooling.enable && network) { - environment.systemPackages = optional graphical pkgs.opensnitch-ui; - grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; - networking.nftables.enable = true; + services.opensnitch.rules = { - # security.audit.enable = true; - systemd.services.opensnitchd.path = lib.optional ( - config.services.opensnitch.settings.ProcMonitorMethod == "audit" - ) pkgs.audit.bin; - - services.opensnitch = { - enable = true; - settings = { - DefaultAction = "deny"; - Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; - ProcMonitorMethod = "ftrace"; - # ProcMonitorMethod = "audit"; + vesktop_deny = mkIf graphical { + name = "vesktop-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + }; }; - rules = { - firefox = - let - cfg = config.programs.firefox; - pkg = ( - cfg.package.override (old: { - extraPrefsFiles = - old.extraPrefsFiles or [ ] - ++ cfg.autoConfigFiles - ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; - nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; - cfg = (old.cfg or { }) // cfg.wrapperConfig; - }) - ); - in - # pkg = pkgs.firefox-unwrapped; - mkIf (config.programs.firefox.enable) { - name = "firefox"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "simple"; + vesktop_allow = mkIf graphical { + name = "vesktop-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; sensitive = false; - operand = "process.path"; - data = "${getBin pkg}/lib/firefox/firefox"; - }; - }; - - block-list = { - name = "block-list"; - action = "deny"; - enabled = true; - duration = "always"; - inherit created; - operator = { - type = "lists"; - operand = "lists.domains"; - data = pkgs.callPackage ./block_lists.nix { }; - }; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; }; + }; - git = { - name = "git-allow-all"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "${lib.escapeRegex pkgs.git.outPath}/.*"; - }; + vesktop_daemon_allow_udp = mkIf graphical { + name = "vesktop-allow-udp"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + } + { + type = "simple"; + operand = "protocol"; + data = "udp"; + } + { + type = "regexp"; + operand = "dest.port"; + data = "500[0-9]{2}"; + } + ]; }; + }; - ssh = { - name = "ssh-allow-all"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; - }; + vesktop_daemon_deny = mkIf graphical { + name = "vesktop-daemon-deny"; + enabled = true; + action = "deny"; + precedence = false; + duration = "always"; + inherit created; + operator = { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; + }; - nsncd = mkIf (config.services.nscd.enableNsncd) { - name = "nsncd-dns"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe pkgs.nsncd; - } - { - type = "simple"; - operand = "dest.port"; - data = "53"; - } - { - type = "lists"; - operand = "lists.nets"; - data = pkgs.writeTextDir "cidr_dns.list" ( - concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) - ); - } - { - type = "simple"; - operand = "user.id"; - data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); - } - ]; - }; - }; - - nix-index = { - name = "nix-index"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.nix-index-unwrapped "nix-index"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|443"; - } - { - type = "simple"; - sensitive = false; - operand = "dest.host"; - data = "cache.nixos.org"; - } - - ]; - }; - }; - - nix = { - name = "nix"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe config.nix.package; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|443"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(channels|cache)\\.nixos\\.org"; - } - - ]; - }; - }; - - localhost = { - name = "localhost"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "dest.ip"; - data = "^(127\\.0\\.0\\.1|::1)$"; - }; - }; - - spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - }; - }; - - osu_deny = mkIf (config.grimmShared.gaming && graphical) { - name = "osu-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; - }; - }; - - osu_allow = mkIf (config.grimmShared.gaming && graphical) { - name = "osu-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|53"; - } - { - type = "regexp"; - sensitive = false; - operand = "process.path"; - data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = "(api\.github\.com)|((.+\.)?ppy\.sh)"; - } - ]; - }; - }; - - ncspot = mkIf (config.grimmShared.spotify.enable) { - name = "ncspot"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|4070"; - } - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = lib.getExe pkgs.ncspot; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./spotify_hosts; - } - ]; - }; - }; - - spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-allow"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - operand = "dest.port"; - data = "443|4070"; - } - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./spotify_hosts; - } - ]; - }; - }; - - spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { - name = "spotify-allow-local"; - enabled = true; - action = "allow"; - duration = "always"; - precedence = true; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; - } - { - type = "lists"; - operand = "lists.nets"; - data = local_ips; - } - ]; - }; - }; - - vesktop_deny = mkIf (graphical) { - name = "vesktop-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; - }; - }; - - vesktop_allow = mkIf (graphical) { - name = "vesktop-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./discord_hosts; - } - ]; - }; - }; - - vesktop_daemon_allow_udp = mkIf graphical { - name = "vesktop-allow-udp"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - } - { - type = "simple"; - operand = "protocol"; - data = "udp"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "500[0-9]{2}"; - } - ]; - }; - }; - - vesktop_daemon_deny = mkIf (graphical) { - name = "vesktop-daemon-deny"; - enabled = true; - action = "deny"; - precedence = false; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - }; - }; - - vesktop_daemon_allow = mkIf (graphical) { - name = "vesktop-daemon-allow"; - enabled = true; - action = "allow"; - precedence = true; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "regexp"; - sensitive = false; - operand = "process.command"; - data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; - } - { - type = "lists"; - operand = "lists.domains_regexp"; - data = ./discord_hosts; - } - ]; - }; - }; - - avahi = mkIf (config.services.avahi.enable) { - name = "avahi"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' config.services.avahi.package "avahi-daemon"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "5353|53"; - } - { - type = "simple"; - operand = "user.id"; - data = "996"; - } - ]; - }; - }; - - icmp = { - name = "icmp"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "regexp"; - operand = "protocol"; - sensitive = false; - data = "icmp(4|6)?"; - }; - }; - - network-manager = mkIf (config.networking.networkmanager.enable) { - name = "network-manager"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.networkmanager "networkmanager"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "547|67"; - } - # { - # type ="simple"; - # operand = "dest.network"; - # data = "ff02::1:2"; - # } - ]; - }; - }; - - cups-filters = mkIf (config.services.printing.enable) { - name = "cups-filters"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.cups-filters "cups-browsed"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "53|631|80"; - } - { - type = "lists"; - operand = "lists.nets"; - data = local_ips; - } - ]; - }; - }; - - systemd-timesyncd = mkIf (config.services.timesyncd.enable) { - name = "systemd-timesyncd"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; - } - { - type = "regexp"; - operand = "dest.port"; - data = "123|37|53"; - } - # { - # type = "regexp"; - # sensitive = false; - # operand = "dest.host"; - # data = ".*\.nixos\.pool\.ntp\.org"; - # } - { - type = "simple"; - operand = "user.id"; - data = "154"; - } - ]; - }; - }; - - nextcloud = mkIf (false) { - # config.grimmShared.cloudSync.enable - name = "nextcloud"; - enabled = true; - action = "allow"; - duration = "always"; - inherit created; - operator = { - type = "list"; - operand = "list"; - list = [ - { - type = "simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; - } - { - type = "regexp"; - sensitive = false; - operand = "dest.host"; - data = - let - l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); - in - (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l); - # config.grimmShared.cloudSync.server; - } - { - type = "regexp"; - operand = "dest.port"; - data = "443|53"; - } - ]; - }; + vesktop_daemon_allow = mkIf graphical { + name = "vesktop-daemon-allow"; + enabled = true; + action = "allow"; + precedence = true; + duration = "always"; + inherit created; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type = "regexp"; + sensitive = false; + operand = "process.command"; + data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; + } + { + type = "lists"; + operand = "lists.domains_regexp"; + data = ./discord_hosts; + } + ]; }; }; }; + }; }