diff --git a/common/tooling/opensnitch/block_lists.nix b/common/tooling/opensnitch/block_lists.nix new file mode 100644 index 0000000..0cc31dc --- /dev/null +++ b/common/tooling/opensnitch/block_lists.nix @@ -0,0 +1,26 @@ +{ stdenv, fetchFromGitHub, lib }: +stdenv.mkDerivation rec { + pname = "stevenblack_block"; + version = "3.14.116"; + + src = fetchFromGitHub { + owner = "StevenBlack"; + repo = "hosts"; + rev = version; + hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o="; + }; + + installPhase = '' + mkdir $out + # cp $src/hosts $out/hosts.list + grep 0\.0\.0\.0 $src/hosts > $out/hosts.list + ''; + + meta = { + description = "Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories."; + homepage = "https://github.com/StevenBlack/hosts"; + license = lib.licenses.mit; + maintainers = with lib.maintainers; [ grimmauld ]; + platforms = lib.platforms.all; + }; +} diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index ce4337e..e16c798 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -57,6 +57,18 @@ in }; }; + block-list = { + name = "block-list"; + action = "deny"; + enabled = true; + duration = "always"; + operator = { + type = "lists"; + operand = "lists.domains"; + data = pkgs.callPackage ./block_lists.nix {}; + }; + }; + nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; @@ -91,6 +103,20 @@ in }; }; + localhost = { + name = "localhost"; + enabled = true; + action = "allow"; + duration = "always"; + precedence = true; + operator = { + type ="regexp"; + sensitive = false; + operand = "dest.ip"; + data = "^(127\\.0\\.0\\.1|::1)$"; + }; + }; + spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-deny"; enabled = true; diff --git a/nix/sources.json b/nix/sources.json index 2880798..e344d51 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -41,10 +41,10 @@ "homepage": "https://nyx.chaotic.cx", "owner": "chaotic-cx", "repo": "nyx", - "rev": "25f420d9cf70929455ba14642b92ae715ae8d792", - "sha256": "00llpxbblf9v6s6sc8p4gppf1knmqb2mlp5040clwr4rfih7kjrs", + "rev": "371ba355dfb49d6c047525d078ee58b65f03e334", + "sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl", "type": "tarball", - "url": "https://github.com/chaotic-cx/nyx/archive/25f420d9cf70929455ba14642b92ae715ae8d792.tar.gz", + "url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "glibc-eac": { @@ -68,7 +68,7 @@ "lix-pkg": { "branch": "main", "repo": "https://git.lix.systems/lix-project/lix.git", - "rev": "775292766025380d04004e42fefbdb8ca40b3fa3", + "rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508", "type": "git" }, "nixos-mailserver": { @@ -95,10 +95,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "27e30d177e57d912d614c88c622dcfdb2e6e6515", - "sha256": "1fvwlz931dvlx4anz7wk3ny33650a292bj4fdj41glckjcfkvzqw", + "rev": "bc947f541ae55e999ffdb4013441347d83b00feb", + "sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/27e30d177e57d912d614c88c622dcfdb2e6e6515.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "ranger_udisk_menu": {