diff options
| author | Jonas Heinrich <onny@project-insanity.org> | 2022-11-19 16:08:21 +0100 |
|---|---|---|
| committer | Yt <happysalada@proton.me> | 2022-11-28 14:19:16 -0500 |
| commit | 3aff91691488ead5cf637ba17720aed377c5d6bf (patch) | |
| tree | 3e9fc5ed766b383b0f8112ff5160038e682e7f2c /nixos/modules | |
| parent | 11fdcb163ec74e9f6ce07127f123e28ab16775d8 (diff) | |
| download | nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar.gz nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar.bz2 nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar.lz nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar.xz nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.tar.zst nixpkgs-3aff91691488ead5cf637ba17720aed377c5d6bf.zip | |
nixos/opensnitch: Add option to configure rules
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/security/opensnitch.nix | 83 |
1 files changed, 69 insertions, 14 deletions
diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 1612b0edf01..8f1407b555f 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -5,10 +5,47 @@ with lib; let cfg = config.services.opensnitch; format = pkgs.formats.json {}; + + predefinedRules = flip mapAttrs cfg.rules (name: cfg: { + file = pkgs.writeText "rule" (builtins.toJSON cfg); + }); + in { options = { services.opensnitch = { - enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall"); + enable = mkEnableOption (mdDoc "Opensnitch application firewall"); + + rules = mkOption { + default = {}; + example = literalExpression '' + { + "tor" = { + "name" = "tor"; + "enabled" = true; + "action" = "allow"; + "duration" = "always"; + "operator" = { + "type" ="simple"; + "sensitive" = false; + "operand" = "process.path"; + "data" = "''${lib.getBin pkgs.tor}/bin/tor"; + }; + }; + }; + ''; + + description = mdDoc '' + Declarative configuration of firewall rules. + All rules will be stored in `/var/lib/opensnitch/rules`. + See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules) + for available options. + ''; + + type = types.submodule { + freeformType = format.type; + }; + }; + settings = mkOption { type = types.submodule { freeformType = format.type; @@ -18,7 +55,7 @@ in { Address = mkOption { type = types.str; - description = lib.mdDoc '' + description = mdDoc '' Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is mandatory) or TCP socket (192.168.1.100:50051). ''; @@ -26,7 +63,7 @@ in { LogFile = mkOption { type = types.path; - description = lib.mdDoc '' + description = mdDoc '' File to write logs to (use /dev/stdout to write logs to standard output). ''; @@ -36,7 +73,7 @@ in { DefaultAction = mkOption { type = types.enum [ "allow" "deny" ]; - description = lib.mdDoc '' + description = mdDoc '' Default action whether to block or allow application internet access. ''; @@ -46,28 +83,28 @@ in { type = types.enum [ "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" ]; - description = lib.mdDoc '' + description = mdDoc '' Default duration of firewall rule. ''; }; InterceptUnknown = mkOption { type = types.bool; - description = lib.mdDoc '' + description = mdDoc '' Wheter to intercept spare connections. ''; }; ProcMonitorMethod = mkOption { type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; - description = lib.mdDoc '' + description = mdDoc '' Which process monitoring method to use. ''; }; LogLevel = mkOption { type = types.enum [ 0 1 2 3 4 ]; - description = lib.mdDoc '' + description = mdDoc '' Default log level from 0 to 4 (debug, info, important, warning, error). ''; @@ -75,7 +112,7 @@ in { Firewall = mkOption { type = types.enum [ "iptables" "nftables" ]; - description = lib.mdDoc '' + description = mdDoc '' Which firewall backend to use. ''; }; @@ -84,14 +121,14 @@ in { MaxEvents = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max events to send to the GUI. ''; }; MaxStats = mkOption { type = types.int; - description = lib.mdDoc '' + description = mdDoc '' Max stats per item to keep in backlog. ''; }; @@ -99,9 +136,8 @@ in { }; }; }; - description = lib.mdDoc '' - opensnitchd configuration. Refer to - <https://github.com/evilsocket/opensnitch/wiki/Configurations> + description = mdDoc '' + opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations) for details on supported values. ''; }; @@ -118,6 +154,25 @@ in { services.opensnitchd.wantedBy = [ "multi-user.target" ]; }; + systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let + rules = flip mapAttrsToList predefinedRules (file: content: { + inherit (content) file; + local = "/var/lib/opensnitch/rules/${file}.json"; + }); + in '' + # Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path, + # but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from + # `cfg.rules`). + find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) '' + -not \( ${concatMapStringsSep " -o " ({ local, ... }: + "-name '${baseNameOf local}*'") + rules} \) \ + ''} -delete + ${concatMapStrings ({ file, local }: '' + ln -sf '${file}' "${local}" + '') rules} + ''); + environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; }; |