steve black host blocklist

2024-10-05 18:51:24 +02:00 · 2024-10-05 18:51:24 +02:00 · 8749f5c254
commit 8749f5c254
parent 0b73857ec4
3 changed files with 59 additions and 7 deletions
--- a/common/tooling/opensnitch/block_lists.nix
+++ b/common/tooling/opensnitch/block_lists.nix
@ -0,0 +1,26 @@
+{ stdenv, fetchFromGitHub, lib }:
+stdenv.mkDerivation rec {
+  pname = "stevenblack_block";
+  version = "3.14.116";
+  
+  src = fetchFromGitHub {
+    owner = "StevenBlack";
+    repo = "hosts";
+    rev = version;
+    hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o=";
+  };
+
+  installPhase = ''
+    mkdir $out
+    # cp $src/hosts $out/hosts.list
+    grep 0\.0\.0\.0 $src/hosts > $out/hosts.list
+  '';
+
+  meta = {
+    description = "Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.";
+    homepage = "https://github.com/StevenBlack/hosts";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ grimmauld ];
+    platforms = lib.platforms.all;
+  };
+}
--- a/common/tooling/opensnitch/default.nix
+++ b/common/tooling/opensnitch/default.nix
@ -57,6 +57,18 @@ in
          };
        };

+        block-list = {
+          name = "block-list";
+          action = "deny";
+          enabled = true;
+          duration = "always";
+          operator = {
+            type = "lists";
+            operand = "lists.domains";
+            data = pkgs.callPackage ./block_lists.nix {};
+          };
+        };
+
        nsncd = mkIf (config.services.nscd.enableNsncd) {
          name = "nsncd-dns";
          enabled = true;
@ -91,6 +103,20 @@ in
          };
        };

+        localhost = {
+          name = "localhost";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          precedence = true;
+          operator = {
+            type ="regexp";
+            sensitive = false;
+            operand = "dest.ip";
+            data = "^(127\\.0\\.0\\.1|::1)$";
+          };
+        };
+
        spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
          name = "spotify-deny";
          enabled = true;
--- a/nix/sources.json
+++ b/nix/sources.json
@ -41,10 +41,10 @@
        "homepage": "https://nyx.chaotic.cx",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "25f420d9cf70929455ba14642b92ae715ae8d792",
-        "sha256": "00llpxbblf9v6s6sc8p4gppf1knmqb2mlp5040clwr4rfih7kjrs",
+        "rev": "371ba355dfb49d6c047525d078ee58b65f03e334",
+        "sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl",
        "type": "tarball",
-        "url": "https://github.com/chaotic-cx/nyx/archive/25f420d9cf70929455ba14642b92ae715ae8d792.tar.gz",
+        "url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "glibc-eac": {
@ -68,7 +68,7 @@
    "lix-pkg": {
        "branch": "main",
        "repo": "https://git.lix.systems/lix-project/lix.git",
-        "rev": "775292766025380d04004e42fefbdb8ca40b3fa3",
+        "rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508",
        "type": "git"
    },
    "nixos-mailserver": {
@ -95,10 +95,10 @@
        "homepage": null,
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "27e30d177e57d912d614c88c622dcfdb2e6e6515",
-        "sha256": "1fvwlz931dvlx4anz7wk3ny33650a292bj4fdj41glckjcfkvzqw",
+        "rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
+        "sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/27e30d177e57d912d614c88c622dcfdb2e6e6515.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "ranger_udisk_menu": {