{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling graphical network ; inherit (lib) escapeRegex getVersion mkIf ; created = "1970-01-01T00:00:00.0+00:00"; in { config = mkIf (enable && tooling.enable && network) { services.opensnitch.rules = { vesktop_deny = mkIf graphical { name = "vesktop-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; }; }; vesktop_allow = mkIf graphical { name = "vesktop-allow"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./discord_hosts; } ]; }; }; vesktop_daemon_allow_udp = mkIf graphical { name = "vesktop-allow-udp"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "simple"; operand = "protocol"; data = "udp"; } { type = "regexp"; operand = "dest.port"; data = "500[0-9]{2}"; } ]; }; }; vesktop_daemon_deny = mkIf graphical { name = "vesktop-daemon-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; }; vesktop_daemon_allow = mkIf graphical { name = "vesktop-daemon-allow"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./discord_hosts; } ]; }; }; }; }; }