{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling network ; inherit (lib) getExe concatLines getExe' mkIf ; local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; created = "1970-01-01T00:00:00.0+00:00"; in { config = mkIf (enable && tooling.enable && network) { services.opensnitch.rules = { nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe pkgs.nsncd; } { type = "simple"; operand = "dest.port"; data = "53"; } { type = "lists"; operand = "lists.nets"; data = pkgs.writeTextDir "cidr_dns.list" ( concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) ); } { type = "simple"; operand = "user.id"; data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid); } ]; }; }; network-manager = mkIf (config.networking.networkmanager.enable) { name = "network-manager"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe' pkgs.networkmanager "networkmanager"; } { type = "regexp"; operand = "dest.port"; data = "547|67"; } # { # type ="simple"; # operand = "dest.network"; # data = "ff02::1:2"; # } ]; }; }; }; }; }