{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling graphical; inherit (lib) optional optionals getBin getExe concatLines getExe' mkIf ; local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); in { config = mkIf (enable && tooling.enable) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; services.opensnitch = { enable = true; settings = { DefaultAction = "deny"; Firewall = "iptables"; LogLevel = 1; }; rules = { firefox = let cfg = config.programs.firefox; pkg = (cfg.package.override (old: { extraPrefsFiles = old.extraPrefsFiles or [ ] ++ cfg.autoConfigFiles ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; cfg = (old.cfg or { }) // cfg.wrapperConfig; })); # pkg = pkgs.firefox-unwrapped; in mkIf (config.programs.firefox.enable) { name = "firefox"; enabled = true; action = "allow"; duration = "always"; operator = { type ="simple"; sensitive = false; operand = "process.path"; data = "${getBin pkg}/lib/firefox/firefox"; }; }; block-list = { name = "block-list"; action = "deny"; enabled = true; duration = "always"; operator = { type = "lists"; operand = "lists.domains"; data = pkgs.callPackage ./block_lists.nix {}; }; }; nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type ="simple"; sensitive = false; operand = "process.path"; data = getExe pkgs.nsncd; } { type = "simple"; operand = "dest.port"; data = "53"; } { type = "lists"; operand = "lists.nets"; data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)); } { type = "simple"; operand = "user.id"; data = "998"; } ]; }; }; localhost = { name = "localhost"; enabled = true; action = "allow"; duration = "always"; precedence = true; operator = { type ="regexp"; sensitive = false; operand = "dest.ip"; data = "^(127\\.0\\.0\\.1|::1)$"; }; }; spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; operator = { type ="simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; }; }; ncspot = mkIf (config.grimmShared.spotify.enable) { name = "ncspot"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; operand = "dest.port"; data = "443|4070"; } { type ="simple"; sensitive = false; operand = "process.path"; data = lib.getExe pkgs.ncspot; } { type = "lists"; operand = "lists.domains_regexp"; data = ./spotify_hosts; } ]; }; }; spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-allow"; enabled = true; action = "allow"; duration = "always"; precedence = true; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; operand = "dest.port"; data = "443|4070"; } { type ="simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./spotify_hosts; } ]; }; }; spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-allow-local"; enabled = true; action = "allow"; duration = "always"; precedence = true; operator = { type = "list"; operand = "list"; list = [ { type ="simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; } { type = "lists"; operand = "lists.nets"; data = local_ips; } ]; }; }; avahi = mkIf (config.services.avahi.enable) { name = "avahi"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type ="simple"; sensitive = false; operand = "process.path"; data = getExe' config.services.avahi.package "avahi-daemon"; } { type = "simple"; operand = "dest.port"; data = "5353"; } { type = "simple"; operand = "user.id"; data = "996"; } ]; }; }; cups-filters = mkIf (config.services.printing.enable) { name = "cups-filters"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type ="simple"; sensitive = false; operand = "process.path"; data = lib.getExe' pkgs.cups-filters "cups-browsed"; } { type ="regexp"; operand = "dest.port"; data = "53"; } { type = "lists"; operand = "lists.nets"; data = local_ips; } ]; }; }; systemd-timesyncd = mkIf (config.services.timesyncd.enable) { name = "systemd-timesyncd"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type ="simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; } { type ="regexp"; operand = "dest.port"; data = "123|37"; } ]; }; }; nextcloud = mkIf (config.grimmShared.cloudSync.enable) { name = "nextcloud"; enabled = true; action = "allow"; duration = "always"; operator = { type ="simple"; sensitive = false; operand = "process.path"; data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; }; }; }; }; }; }