opensnitch: improve rules

modules/network/firewall/opensnitch.nix

@@ -10,6 +10,8 @@
     };
 
     rules = {
+      #
+      # system services
       "systemd-timesyncd" = {
         "name" = "systemd-timesyncd";
         "enabled" = true;
@@ -18,8 +20,8 @@
         "operator" = {
           "type" = "simple";
           "sensitive" = false;
-          "operand" = "process.path";
+          "operand" = "lists.domains";
-          "data" = "${pkgs.systemd}/lib/systemd/systemd-timesyncd";
+          "data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers);
         };
       };
       "nsncd" = {
@@ -34,6 +36,157 @@
           "data" = "${pkgs.nsncd}/bin/nsncd";
         };
       };
+      "tailscale" =  {
+        "name" = "tailscale";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "operand" = "process.path";
+          "type" = "simple";
+          "sensitive" = false;
+          "data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped";
+        };
+      };
+      "avahi-daemon" =  {
+        "name" = "avahi-daemon";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "operand" = "process.path";
+          "type" = "simple";
+          "sensitive" = false;
+          "data" = "${pkgs.avahi}/bin/avahi-daemon";
+        };
+      };
+
+      #
+      # services
+      "prowlarr" =  {
+        "name" = "prowlarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "prowlarr";
+            }
+          ];
+        };
+      };
+      "sonarr" =  {
+        "name" = "sonarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.sonarr}/lib/sonarr/Sonarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.sonarr.user}";
+            }
+          ];
+        };
+      };
+      "radarr" =  {
+        "name" = "radarr";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.radarr}/lib/radarr/Radarr";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.radarr.user}";
+            }
+          ];
+        };
+      };
+      "forgejo" =  {
+        "name" = "forgejo";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.forgejo.user}";
+            }
+          ];
+        };
+      };
+      "caddy" =  {
+        "name" = "caddy";
+        "enabled" = true;
+        "action" = "allow";
+        "duration" = "always";
+        "operator" = {
+          "type" = "list";
+          "operand" = "list";
+          "list" = [
+            {
+              "operand" = "process.path";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${pkgs.caddy}/bin/caddy";
+            }
+            {
+              "operand" = "user.name";
+              "type" = "simple";
+              "sensitive" = false;
+              "data" = "${config.services.caddy.user}";
+            }
+          ];
+        };
+      };
+
+
+      #
+      # desktop applications
       "firefox" = {
         "name" = "firefox";
         "enabled" = true;