{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling graphical network ; inherit (lib) optional getBin getExe concatLines getExe' escapeRegex getVersion mkIf filter split strings concatStringsSep length isString ; local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); created = "1970-01-01T00:00:00.0+00:00"; in { config = mkIf (enable && tooling.enable && network) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; networking.nftables.enable = true; # security.audit.enable = true; systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin; services.opensnitch = { enable = true; settings = { DefaultAction = "deny"; Firewall = if config.networking.nftables.enable then "nftables" else "iptables"; ProcMonitorMethod = "ftrace"; # ProcMonitorMethod = "audit"; }; rules = { firefox = let cfg = config.programs.firefox; pkg = ( cfg.package.override (old: { extraPrefsFiles = old.extraPrefsFiles or [ ] ++ cfg.autoConfigFiles ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; cfg = (old.cfg or { }) // cfg.wrapperConfig; }) ); in # pkg = pkgs.firefox-unwrapped; mkIf (config.programs.firefox.enable) { name = "firefox"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "simple"; sensitive = false; operand = "process.path"; data = "${getBin pkg}/lib/firefox/firefox"; }; }; block-list = { name = "block-list"; action = "deny"; enabled = true; duration = "always"; inherit created; operator = { type = "lists"; operand = "lists.domains"; data = pkgs.callPackage ./block_lists.nix { }; }; }; git = { name = "git-allow-all"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.path"; data = "${lib.escapeRegex pkgs.git.outPath}/.*"; }; }; ssh = { name = "ssh-allow-all"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.path"; data = "${lib.escapeRegex pkgs.openssh.outPath}/.*"; }; }; nsncd = mkIf (config.services.nscd.enableNsncd) { name = "nsncd-dns"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe pkgs.nsncd; } { type = "simple"; operand = "dest.port"; data = "53"; } { type = "lists"; operand = "lists.nets"; data = pkgs.writeTextDir "cidr_dns.list" ( concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network) ); } { type = "simple"; operand = "user.id"; data = "998"; } ]; }; }; localhost = { name = "localhost"; enabled = true; action = "allow"; duration = "always"; precedence = true; inherit created; operator = { type = "regexp"; sensitive = false; operand = "dest.ip"; data = "^(127\\.0\\.0\\.1|::1)$"; }; }; spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; }; }; osu_deny = mkIf (config.grimmShared.gaming && graphical) { name = "osu-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.path"; data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; }; }; osu_allow = mkIf (config.grimmShared.gaming && graphical) { name = "osu-allow"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; operand = "dest.port"; data = "443|53"; } { type = "regexp"; sensitive = false; operand = "process.path"; data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!"; } { type = "regexp"; sensitive = false; operand = "dest.host"; data = "(api\.github\.com)|((.+\.)?ppy\.sh)"; } ]; }; }; ncspot = mkIf (config.grimmShared.spotify.enable) { name = "ncspot"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; operand = "dest.port"; data = "443|4070"; } { type = "simple"; sensitive = false; operand = "process.path"; data = lib.getExe pkgs.ncspot; } { type = "lists"; operand = "lists.domains_regexp"; data = ./spotify_hosts; } ]; }; }; spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-allow"; enabled = true; action = "allow"; duration = "always"; precedence = true; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; operand = "dest.port"; data = "443|4070"; } { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./spotify_hosts; } ]; }; }; spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) { name = "spotify-allow-local"; enabled = true; action = "allow"; duration = "always"; precedence = true; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped"; } { type = "lists"; operand = "lists.nets"; data = local_ips; } ]; }; }; vesktop_deny = mkIf (graphical) { name = "vesktop-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; }; }; vesktop_allow = mkIf (graphical) { name = "vesktop-allow"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./discord_hosts; } ]; }; }; vesktop_daemon_allow_udp = mkIf graphical { name = "vesktop-allow-udp"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "simple"; operand = "protocol"; data = "udp"; } { type = "regexp"; operand = "dest.port"; data = "500[0-9]{2}"; } ]; }; }; vesktop_daemon_deny = mkIf (graphical) { name = "vesktop-daemon-deny"; enabled = true; action = "deny"; precedence = false; duration = "always"; inherit created; operator = { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; }; }; vesktop_daemon_allow = mkIf (graphical) { name = "vesktop-daemon-allow"; enabled = true; action = "allow"; precedence = true; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.command"; data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+"; } { type = "lists"; operand = "lists.domains_regexp"; data = ./discord_hosts; } ]; }; }; avahi = mkIf (config.services.avahi.enable) { name = "avahi"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe' config.services.avahi.package "avahi-daemon"; } { type = "regexp"; operand = "dest.port"; data = "5353|53"; } { type = "simple"; operand = "user.id"; data = "996"; } ]; }; }; icmp = { name = "icmp"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "regexp"; operand = "protocol"; sensitive = false; data = "icmp(4|6)?"; }; }; network-manager = mkIf (config.networking.networkmanager.enable) { name = "network-manager"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe' pkgs.networkmanager "networkmanager"; } { type = "simple"; operand = "dest.port"; data = "547"; } # { # type ="simple"; # operand = "dest.network"; # data = "ff02::1:2"; # } ]; }; }; cups-filters = mkIf (config.services.printing.enable) { name = "cups-filters"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe' pkgs.cups-filters "cups-browsed"; } { type = "regexp"; operand = "dest.port"; data = "53|631|80"; } { type = "lists"; operand = "lists.nets"; data = local_ips; } ]; }; }; systemd-timesyncd = mkIf (config.services.timesyncd.enable) { name = "systemd-timesyncd"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; } { type = "regexp"; operand = "dest.port"; data = "123|37|53"; } # { # type = "regexp"; # sensitive = false; # operand = "dest.host"; # data = ".*\.nixos\.pool\.ntp\.org"; # } { type = "simple"; operand = "user.id"; data = "154"; } ]; }; }; nextcloud = mkIf (false) { # config.grimmShared.cloudSync.enable name = "nextcloud"; enabled = true; action = "allow"; duration = "always"; inherit created; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; } { type = "regexp"; sensitive = false; operand = "dest.host"; data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l); # config.grimmShared.cloudSync.server; } { type = "regexp"; operand = "dest.port"; data = "443|53"; } ]; }; }; }; }; }; }