add opensnitch

2024-06-12 18:45:06 +02:00
parent e37b8e3f8d
commit 635d2d27b3
6 changed files with 54 additions and 9 deletions
--- a/home-manager/opensnitch-ui.nix
+++ b/home-manager/opensnitch-ui.nix
@@ -0,0 +1,3 @@
+{ osConfig, pkgs, lib, inputs, ... }:
+let cfg = osConfig.custom.services.opensnitch;
+in { config = lib.mkIf cfg.enable { services.opensnitch-ui.enable = true; }; }
--- a/modules/hardware/nvidia.nix
+++ b/modules/hardware/nvidia.nix
@@ -1,9 +1,7 @@
 { lib, config, pkgs, ... }:
 with lib;
-let
-  cfg = config.custom.hardware.nvidia;
-in
-{
+let cfg = config.custom.hardware.nvidia;
+in {
  options.custom.hardware.nvidia = {
    enable = mkEnableOption "Enables nvidia gpus";
  };
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -2,6 +2,7 @@
 {
  imports = [
    ./acme.nix
+    ./opensnitch.nix
    ./adguard.nix
    ./dnsmasq.nix
    ./gitolite.nix
--- a/modules/services/opensnitch.nix
+++ b/modules/services/opensnitch.nix
@@ -0,0 +1,39 @@
+{ config, pkgs, lib, inputs, ... }:
+let cfg = config.custom.services.opensnitch;
+in {
+  options.custom.services.opensnitch = {
+    enable = lib.mkEnableOption "Enables opensnitch";
+  };
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.opensnitch-ui ];
+    services.opensnitch = {
+      enable = true;
+      rules = {
+        systemd-timesyncd = {
+          name = "systemd-timesyncd";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          operator = {
+            type = "simple";
+            sensitive = false;
+            operand = "process.path";
+            data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
+          };
+        };
+        systemd-resolved = {
+          name = "systemd-resolved";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          operator = {
+            type = "simple";
+            sensitive = false;
+            operand = "process.path";
+            data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
+          };
+        };
+      };
+    };
+  };
+}
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -45,6 +45,9 @@
      tpm.enable = true;
      tablet.enable = true;
    };
+    services = {
+      opensnitch.enable = true;
+    };
    graphical = {
      audio.enable = true;
      code = {
--- a/users/kopatz/home.nix
+++ b/users/kopatz/home.nix
@@ -24,6 +24,7 @@
    ../../home-manager/nixvim
    ../../home-manager/rofi.nix
    ../../home-manager/dunst.nix
+    ../../home-manager/opensnitch-ui.nix
    #../../home-manager/theme.nix
    ../../home-manager/zsh
    ../../home-manager/i3.nix