diff --git a/modules/network/firewall/opensnitch.nix b/modules/network/firewall/opensnitch.nix index 31e09e9..16cd950 100644 --- a/modules/network/firewall/opensnitch.nix +++ b/modules/network/firewall/opensnitch.nix @@ -10,6 +10,8 @@ }; rules = { + # + # system services "systemd-timesyncd" = { "name" = "systemd-timesyncd"; "enabled" = true; @@ -18,8 +20,8 @@ "operator" = { "type" = "simple"; "sensitive" = false; - "operand" = "process.path"; - "data" = "${pkgs.systemd}/lib/systemd/systemd-timesyncd"; + "operand" = "lists.domains"; + "data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers); }; }; "nsncd" = { @@ -34,6 +36,157 @@ "data" = "${pkgs.nsncd}/bin/nsncd"; }; }; + "tailscale" = { + "name" = "tailscale"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped"; + }; + }; + "avahi-daemon" = { + "name" = "avahi-daemon"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.avahi}/bin/avahi-daemon"; + }; + }; + + # + # services + "prowlarr" = { + "name" = "prowlarr"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" = "list"; + "operand" = "list"; + "list" = [ + { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr"; + } + { + "operand" = "user.name"; + "type" = "simple"; + "sensitive" = false; + "data" = "prowlarr"; + } + ]; + }; + }; + "sonarr" = { + "name" = "sonarr"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" = "list"; + "operand" = "list"; + "list" = [ + { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.sonarr}/lib/sonarr/Sonarr"; + } + { + "operand" = "user.name"; + "type" = "simple"; + "sensitive" = false; + "data" = "${config.services.sonarr.user}"; + } + ]; + }; + }; + "radarr" = { + "name" = "radarr"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" = "list"; + "operand" = "list"; + "list" = [ + { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.radarr}/lib/radarr/Radarr"; + } + { + "operand" = "user.name"; + "type" = "simple"; + "sensitive" = false; + "data" = "${config.services.radarr.user}"; + } + ]; + }; + }; + "forgejo" = { + "name" = "forgejo"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" = "list"; + "operand" = "list"; + "list" = [ + { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped"; + } + { + "operand" = "user.name"; + "type" = "simple"; + "sensitive" = false; + "data" = "${config.services.forgejo.user}"; + } + ]; + }; + }; + "caddy" = { + "name" = "caddy"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" = "list"; + "operand" = "list"; + "list" = [ + { + "operand" = "process.path"; + "type" = "simple"; + "sensitive" = false; + "data" = "${pkgs.caddy}/bin/caddy"; + } + { + "operand" = "user.name"; + "type" = "simple"; + "sensitive" = false; + "data" = "${config.services.caddy.user}"; + } + ]; + }; + }; + + + # + # desktop applications "firefox" = { "name" = "firefox"; "enabled" = true;