nico/dots
2
2
Fork 1
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
dots/modules/network/firewall/opensnitch.nix
Nico f4a53155b2
opensnitch: improve rules
2026-01-03 22:22:59 +11:00

280 lines
7.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "allow";
LogLevel = 2;
Stats.MaxEvents = 3;
};
rules = {
#
# system services
"systemd-timesyncd" = {
"name" = "systemd-timesyncd";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "lists.domains";
"data" = builtins.toFile "systemd-timesyncd-opensnitch-rules" (lib.strings.concatStringsSep "\n" config.networking.timeServers);
};
};
"nsncd" = {
"name" = "nsncd";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.nsncd}/bin/nsncd";
};
};
"tailscale" = {
"name" = "tailscale";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.tailscale}/bin/.tailscaled-wrapped";
};
};
"avahi-daemon" = {
"name" = "avahi-daemon";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.avahi}/bin/avahi-daemon";
};
};
#
# services
"prowlarr" = {
"name" = "prowlarr";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "list";
"operand" = "list";
"list" = [
{
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.prowlarr}/lib/prowlarr/Prowlarr";
}
{
"operand" = "user.name";
"type" = "simple";
"sensitive" = false;
"data" = "prowlarr";
}
];
};
};
"sonarr" = {
"name" = "sonarr";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "list";
"operand" = "list";
"list" = [
{
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.sonarr}/lib/sonarr/Sonarr";
}
{
"operand" = "user.name";
"type" = "simple";
"sensitive" = false;
"data" = "${config.services.sonarr.user}";
}
];
};
};
"radarr" = {
"name" = "radarr";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "list";
"operand" = "list";
"list" = [
{
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.radarr}/lib/radarr/Radarr";
}
{
"operand" = "user.name";
"type" = "simple";
"sensitive" = false;
"data" = "${config.services.radarr.user}";
}
];
};
};
"forgejo" = {
"name" = "forgejo";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "list";
"operand" = "list";
"list" = [
{
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.forgejo-lts}/bin/.forgejo-wrapped";
}
{
"operand" = "user.name";
"type" = "simple";
"sensitive" = false;
"data" = "${config.services.forgejo.user}";
}
];
};
};
"caddy" = {
"name" = "caddy";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "list";
"operand" = "list";
"list" = [
{
"operand" = "process.path";
"type" = "simple";
"sensitive" = false;
"data" = "${pkgs.caddy}/bin/caddy";
}
{
"operand" = "user.name";
"type" = "simple";
"sensitive" = false;
"data" = "${config.services.caddy.user}";
}
];
};
};
#
# desktop applications
"firefox" = {
"name" = "firefox";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.firefox}/bin/firefox";
};
};
"firefox-regexp" = {
"name" = "firefox2";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "regexp";
"sensitive" = false;
"operand" = "process.path";
"data" = "/nix/store/[aA0-zZ9]*-firefox-.*/.*"; # im too lazy smh
};
};
"nix" = {
"name" = "nix";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.nix}/bin/nix";
};
};
"steam" = {
"name" = "steam";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "regexp";
"sensitive" = false;
"operand" = "process.path";
"data" = "^/home/[aA0-zZ9]*/.local/share/Steam/(ubuntu12_[0-9][0-9]|linux[0-9][0-9])/steam.*";
};
};
"electron" = {
"name" = "electron";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.electron}/libexec/electron/electron";
};
};
"prismlauncher" = {
"name" = "prismlauncher";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.prismlauncher-unwrapped}/bin/prismlauncher";
};
};
"speech-dispatcher" = {
"name" = "speech-dispatcher";
"enabled" = true;
"action" = "block";
"duration" = "always";
"operator" = {
"type" = "simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "${pkgs.speechd}/bin/speech-dispatcher";
};
};
};
};
environment.systemPackages = [
pkgs.opensnitch-ui
];
}
Reference in a new issue View git blame Copy permalink