Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

split opensnitch rules

Browse source
This commit is contained in:
Grimmauld 2025-01-27 11:04:23 +01:00
parent faf2aadd23
commit 856713a61b
No known key found for this signature in database
11 changed files with 831 additions and 1302 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
hardening/opensnitch/cups.nix Normal file
View file

@ -0,0 +1,92 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
concatLines
getExe'
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

662
hardening/opensnitch/default.nix
View file

@ -13,33 +13,24 @@ let
; ;
inherit (lib) inherit (lib)
optional optional
getBin
getExe
concatLines
getExe'
escapeRegex
getVersion
mkIf mkIf
filter
split
strings
concatStringsSep
length
isString
; ;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in in
{ {
imports = [
./vesktop.nix
./nix.nix
./spotify.nix
./global.nix
./time.nix
./osu.nix
./cups.nix
./network_support.nix
./firefox.nix
./tooling.nix
];
config = mkIf (enable && tooling.enable && network) { config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui; environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
@ -58,633 +49,6 @@ in
ProcMonitorMethod = "ftrace"; ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit"; # ProcMonitorMethod = "audit";
}; };
rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
vesktop_deny = mkIf (graphical) {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf (graphical) {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
name = "nextcloud";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
];
};
};
};
}; };
}; };
} }

54
hardening/opensnitch/firefox.nix Normal file
View file

@ -0,0 +1,54 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getBin
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
};
};
}

62
hardening/opensnitch/global.nix Normal file
View file

@ -0,0 +1,62 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib) mkIf;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
};
};
}

100
hardening/opensnitch/network_support.nix Normal file
View file

@ -0,0 +1,100 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
concatLines
getExe'
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
};
};
}

87
hardening/opensnitch/nix.nix Normal file
View file

@ -0,0 +1,87 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
getExe'
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
};
};
}

73
hardening/opensnitch/osu.nix Normal file
View file

@ -0,0 +1,73 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
escapeRegex
getVersion
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
};
};
}

135
hardening/opensnitch/spotify.nix Normal file
View file

@ -0,0 +1,135 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
concatLines
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

60
hardening/opensnitch/time.nix Normal file
View file

@ -0,0 +1,60 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
};
};
}

52
hardening/opensnitch/tooling.nix Normal file
View file

@ -0,0 +1,52 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
};
};
}

756
hardening/opensnitch/vesktop.nix
View file

@ -12,679 +12,129 @@ let
network network
; ;
inherit (lib) inherit (lib)
optional
getBin
getExe
concatLines
getExe'
escapeRegex escapeRegex
getVersion getVersion
mkIf mkIf
filter
split
strings
concatStringsSep
length
isString
; ;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00"; created = "1970-01-01T00:00:00.0+00:00";
in in
{ {
config = mkIf (enable && tooling.enable && network) { config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui; services.opensnitch.rules = {
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true; vesktop_deny = mkIf graphical {
systemd.services.opensnitchd.path = lib.optional ( name = "vesktop-deny";
config.services.opensnitch.settings.ProcMonitorMethod == "audit" enabled = true;
) pkgs.audit.bin; action = "deny";
precedence = false;
services.opensnitch = { duration = "always";
enable = true; inherit created;
settings = { operator = {
DefaultAction = "deny"; type = "regexp";
Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; sensitive = false;
ProcMonitorMethod = "ftrace"; operand = "process.command";
# ProcMonitorMethod = "audit"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
}; };
rules = { vesktop_allow = mkIf graphical {
firefox = name = "vesktop-allow";
let enabled = true;
cfg = config.programs.firefox; action = "allow";
pkg = ( precedence = true;
cfg.package.override (old: { duration = "always";
extraPrefsFiles = inherit created;
old.extraPrefsFiles or [ ] operator = {
++ cfg.autoConfigFiles type = "list";
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; operand = "list";
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; list = [
cfg = (old.cfg or { }) // cfg.wrapperConfig; {
}) type = "regexp";
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false; sensitive = false;
operand = "process.path"; operand = "process.command";
data = "${getBin pkg}/lib/firefox/firefox"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}; }
}; {
type = "lists";
block-list = { operand = "lists.domains_regexp";
name = "block-list"; data = ./discord_hosts;
action = "deny"; }
enabled = true; ];
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
}; };
};
git = { vesktop_daemon_allow_udp = mkIf graphical {
name = "git-allow-all"; name = "vesktop-allow-udp";
enabled = true; enabled = true;
action = "allow"; action = "allow";
duration = "always"; precedence = true;
inherit created; duration = "always";
operator = { inherit created;
type = "regexp"; operator = {
sensitive = false; type = "list";
operand = "process.path"; operand = "list";
data = "${lib.escapeRegex pkgs.git.outPath}/.*"; list = [
}; {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
}; };
};
ssh = { vesktop_daemon_deny = mkIf graphical {
name = "ssh-allow-all"; name = "vesktop-daemon-deny";
enabled = true; enabled = true;
action = "allow"; action = "deny";
duration = "always"; precedence = false;
inherit created; duration = "always";
operator = { inherit created;
type = "regexp"; operator = {
sensitive = false; type = "regexp";
operand = "process.path"; sensitive = false;
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; operand = "process.command";
}; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}; };
};
nsncd = mkIf (config.services.nscd.enableNsncd) { vesktop_daemon_allow = mkIf graphical {
name = "nsncd-dns"; name = "vesktop-daemon-allow";
enabled = true; enabled = true;
action = "allow"; action = "allow";
duration = "always"; precedence = true;
inherit created; duration = "always";
operator = { inherit created;
type = "list"; operator = {
operand = "list"; type = "list";
list = [ operand = "list";
{ list = [
type = "simple"; {
sensitive = false; type = "regexp";
operand = "process.path"; sensitive = false;
data = getExe pkgs.nsncd; operand = "process.command";
} data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
{ }
type = "simple"; {
operand = "dest.port"; type = "lists";
data = "53"; operand = "lists.domains_regexp";
} data = ./discord_hosts;
{ }
type = "lists"; ];
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
operand = "user.id";
data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
}
];
};
};
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
vesktop_deny = mkIf (graphical) {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf (graphical) {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353|53";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
name = "nextcloud";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type = "regexp";
operand = "dest.port";
data = "443|53";
}
];
};
}; };
}; };
}; };
}; };
} }