diff options
author | Jonas Heinrich <onny@project-insanity.org> | 2022-02-23 11:08:49 +0100 |
---|---|---|
committer | Yt <raphael@megzari.com> | 2022-03-02 18:38:56 -0500 |
commit | 764670261a559e0e2e89dcce487fb9bd3ae19f9e (patch) | |
tree | 64d59195c2eed6c02e5c783a8eb1264a1924764b /nixos/modules/services/security | |
parent | 6d0bddbb0e947a6850a9618931db8502cb6749c4 (diff) | |
download | nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar.gz nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar.bz2 nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar.lz nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar.xz nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.tar.zst nixpkgs-764670261a559e0e2e89dcce487fb9bd3ae19f9e.zip |
nixos/opensnitch: Add options to configure daemon
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/opensnitch.nix | 103 |
1 files changed, 102 insertions, 1 deletions
diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 919346cf2bb..f9b4985e199 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -3,22 +3,123 @@ with lib; let - name = "opensnitch"; cfg = config.services.opensnitch; + format = pkgs.formats.json {}; in { options = { services.opensnitch = { enable = mkEnableOption "Opensnitch application firewall"; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options = { + Server = { + + Address = mkOption { + type = types.str; + description = '' + Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is + mandatory) or TCP socket (192.168.1.100:50051). + ''; + }; + + LogFile = mkOption { + type = types.path; + description = '' + File to write logs to (use /dev/stdout to write logs to standard + output). + ''; + }; + + }; + + DefaultAction = mkOption { + type = types.enum [ "allow" "deny" ]; + description = '' + Default action whether to block or allow application internet + access. + ''; + }; + + DefaultDuration = mkOption { + type = types.enum [ + "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" + ]; + description = '' + Default duration of firewall rule. + ''; + }; + + InterceptUnknown = mkOption { + type = types.bool; + description = '' + Wheter to intercept spare connections. + ''; + }; + + ProcMonitorMethod = mkOption { + type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; + description = '' + Which process monitoring method to use. + ''; + }; + + LogLevel = mkOption { + type = types.enum [ 0 1 2 3 4 ]; + description = '' + Default log level from 0 to 4 (debug, info, important, warning, + error). + ''; + }; + + Firewall = mkOption { + type = types.enum [ "iptables" "nftables" ]; + description = '' + Which firewall backend to use. + ''; + }; + + Stats = { + + MaxEvents = mkOption { + type = types.int; + description = '' + Max events to send to the GUI. + ''; + }; + + MaxStats = mkOption { + type = types.int; + description = '' + Max stats per item to keep in backlog. + ''; + }; + + }; + }; + }; + description = '' + opensnitchd configuration. Refer to + <link xlink:href="https://github.com/evilsocket/opensnitch/wiki/Configurations"/> + for details on supported values. + ''; + }; }; }; config = mkIf cfg.enable { + # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected + services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/default-config.json"))); + systemd = { packages = [ pkgs.opensnitch ]; services.opensnitchd.wantedBy = [ "multi-user.target" ]; }; + environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; + }; } |