{ pkgs, lib, ... }: { environment.systemPackages = [ pkgs.opensnitch-ui ]; # Set start up applications # shitty version of this https://github.com/nix-community/home-manager/issues/3447#issuecomment-1328294558 environment.etc."xdg/autostart/opensnitch_ui.desktop".source = ( pkgs.opensnitch-ui + "/share/applications/opensnitch_ui.desktop" ); # A list of general rules needed no matter how the system is configured services.opensnitch = { enable = true; settings.DefaultAction = "deny"; rules = { rule-000-localhost = { name = "Allow all localhost"; enabled = true; action = "allow"; duration = "always"; operator = { type = "regexp"; operand = "dest.ip"; sensitive = false; data = "^(127\\.0\\.0\\.1|::1)$"; list = [ ]; }; }; rule-100-avahi-ipv4 = { name = "Allow avahi daemon IPv4"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; operand = "process.path"; sensitive = false; data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon"; } { type = "network"; operand = "dest.network"; data = "224.0.0.0/24"; } ]; }; }; rule-100-avahi-ipv6 = { name = "Allow avahi daemon IPv6"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; operand = "process.path"; sensitive = false; data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon"; } { type = "simple"; operand = "dest.ip"; data = "ff02::fb"; } ]; }; }; rule-100-ntp = { name = "Allow NTP"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; } { type = "simple"; operand = "dest.port"; sensitive = false; data = "123"; } { type = "simple"; operand = "protocol"; sensitive = false; data = "udp"; } ]; }; }; rule-100-nix-update = { name = "Allow Nix"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "regexp"; sensitive = false; operand = "process.path"; data = "^.*/bin/nix$"; } { type = "regexp"; operand = "dest.host"; sensitive = false; data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$"; } ]; }; }; rule-100-NetworkManager = { name = "Allow NetworkManager"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager"; } { type = "simple"; operand = "dest.port"; sensitive = false; data = "67"; } { type = "simple"; operand = "protocol"; sensitive = false; data = "udp"; } ]; }; }; rule-500-ssh-github = { name = "Allow SSH to github"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.openssh}/bin/ssh"; } { type = "simple"; operand = "dest.host"; sensitive = false; data = "github.com"; } ]; }; }; }; }; }