dave/nix-config
1
0
Fork 0
mirror of https://github.com/davegallant/nix-config synced 2025-08-07 00:58:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add opensnitch

Browse Source
This commit is contained in:
Dave Gallant
2025-02-09 14:55:52 -05:00
parent 7f64cf264a
commit 8ca246c22b
2 changed files with 123 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
home/default.nix
View File

@@ -268,8 +268,7 @@ in
]; ];
plugins = { plugins = {
auto-save.enable = false; auto-save.enable = true;
copilot-vim.enable = true;
cmp-path.enable = true; cmp-path.enable = true;
cmp-treesitter.enable = true; cmp-treesitter.enable = true;
commentary.enable = true; commentary.enable = true;

122
machines/hephaestus/configuration.nix
View File

@@ -110,6 +110,7 @@ in
mitmproxy mitmproxy
netdata netdata
nfs-utils nfs-utils
opensnitch-ui
pavucontrol pavucontrol
pika-backup pika-backup
pinentry-curses pinentry-curses
@@ -294,6 +295,127 @@ in
}; };
}; };
services.opensnitch = {
enable = true;
rules = {
systemd-timesyncd = {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
};
};
systemd-resolved = {
name = "systemd-resolved";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
};
};
localhost = {
name = "Allow all localhost";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "regexp";
operand = "dest.ip";
sensitive = false;
data = "^(127\\.0\\.0\\.1|::1)$";
list = [ ];
};
};
nix-update = {
name = "Allow Nix";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.nix}/bin/nix";
}
{
type = "regexp";
operand = "dest.host";
sensitive = false;
data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$";
}
];
};
};
NetworkManager = {
name = "Allow NetworkManager";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager";
}
{
type = "simple";
operand = "dest.port";
sensitive = false;
data = "67";
}
{
type = "simple";
operand = "protocol";
sensitive = false;
data = "udp";
}
];
};
};
ssh-github = {
name = "Allow SSH to github";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.openssh}/bin/ssh";
}
{
type = "simple";
operand = "dest.host";
sensitive = false;
data = "github.com";
}
];
};
};
};
};
virtualisation = { virtualisation = {
docker.enable = true; docker.enable = true;
libvirtd.enable = true; libvirtd.enable = true;