{ config, lib, pkgs, ... }: { services.opensnitch = { enable = true; settings = { DefaultAction = "allow"; LogLevel = 2; Stats.MaxEvents = 3; }; rules = { # # system services "systemd-timesyncd" = { "name" = "systemd-timesyncd"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "lists.domains"; "data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers); }; }; "nsncd" = { "name" = "nsncd"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.nsncd}/bin/nsncd"; }; }; "tailscale" = { "name" = "tailscale"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped"; }; }; "avahi-daemon" = { "name" = "avahi-daemon"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.avahi}/bin/avahi-daemon"; }; }; # # services "prowlarr" = { "name" = "prowlarr"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "list"; "operand" = "list"; "list" = [ { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr"; } { "operand" = "user.name"; "type" = "simple"; "sensitive" = false; "data" = "prowlarr"; } ]; }; }; "sonarr" = { "name" = "sonarr"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "list"; "operand" = "list"; "list" = [ { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.sonarr}/lib/sonarr/Sonarr"; } { "operand" = "user.name"; "type" = "simple"; "sensitive" = false; "data" = "${config.services.sonarr.user}"; } ]; }; }; "radarr" = { "name" = "radarr"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "list"; "operand" = "list"; "list" = [ { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.radarr}/lib/radarr/Radarr"; } { "operand" = "user.name"; "type" = "simple"; "sensitive" = false; "data" = "${config.services.radarr.user}"; } ]; }; }; "forgejo" = { "name" = "forgejo"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "list"; "operand" = "list"; "list" = [ { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped"; } { "operand" = "user.name"; "type" = "simple"; "sensitive" = false; "data" = "${config.services.forgejo.user}"; } ]; }; }; "caddy" = { "name" = "caddy"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "list"; "operand" = "list"; "list" = [ { "operand" = "process.path"; "type" = "simple"; "sensitive" = false; "data" = "${pkgs.caddy}/bin/caddy"; } { "operand" = "user.name"; "type" = "simple"; "sensitive" = false; "data" = "${config.services.caddy.user}"; } ]; }; }; # # desktop applications "firefox" = { "name" = "firefox"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.firefox}/bin/firefox"; }; }; "firefox-regexp" = { "name" = "firefox2"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "regexp"; "sensitive" = false; "operand" = "process.path"; "data" = "/nix/store/[aA0-zZ9]*-firefox-.*/.*"; # im too lazy smh }; }; "nix" = { "name" = "nix"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.nix}/bin/nix"; }; }; "steam" = { "name" = "steam"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "regexp"; "sensitive" = false; "operand" = "process.path"; "data" = "^/home/[aA0-zZ9]*/.local/share/Steam/(ubuntu12_[0-9][0-9]|linux[0-9][0-9])/steam.*"; }; }; "electron" = { "name" = "electron"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.electron}/libexec/electron/electron"; }; }; "prismlauncher" = { "name" = "prismlauncher"; "enabled" = true; "action" = "allow"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.prismlauncher-unwrapped}/bin/prismlauncher"; }; }; "speech-dispatcher" = { "name" = "speech-dispatcher"; "enabled" = true; "action" = "block"; "duration" = "always"; "operator" = { "type" = "simple"; "sensitive" = false; "operand" = "process.path"; "data" = "${pkgs.speechd}/bin/speech-dispatcher"; }; }; }; }; environment.systemPackages = [ pkgs.opensnitch-ui ]; }