opensnitch: 1.6.4 -> 1.6.5, opensnitch-ui: 1.6.4 -> 1.6.5.1

2025-07-14 14:10:33 +03:00 · 2023-12-24 14:04:26 +01:00 · 2023-12-24 14:04:26 +01:00 · 31b9a9d18c
commit 31b9a9d18c
parent 89b57cd182
7 changed files with 131 additions and 83 deletions
--- a/nixos/modules/services/security/opensnitch.nix
+++ b/nixos/modules/services/security/opensnitch.nix
@ -36,7 +36,8 @@ in {

        description = mdDoc ''
          Declarative configuration of firewall rules.
-          All rules will be stored in `/var/lib/opensnitch/rules`.
+          All rules will be stored in `/var/lib/opensnitch/rules` by default.
+          Rules path can be configured with `settings.Rules.Path`.
          See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules)
          for available options.
        '';
@ -79,15 +80,6 @@ in {
              '';
            };

-            DefaultDuration = mkOption {
-              type = types.enum [
-                "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
-              ];
-              description = mdDoc ''
-                Default duration of firewall rule.
-              '';
-            };
-
            InterceptUnknown = mkOption {
              type = types.bool;
              description = mdDoc ''
@ -134,6 +126,30 @@ in {
              };

            };
+
+            Ebpf.ModulesPath = mkOption {
+              type = types.path;
+              default = if cfg.settings.ProcMonitorMethod == "ebpf" then "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd" else null;
+              defaultText = literalExpression ''
+                if cfg.settings.ProcMonitorMethod == "ebpf" then
+                  "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd"
+                else null;
+              '';
+              description = mdDoc ''
+                Configure eBPF modules path. Used when
+                `settings.ProcMonitorMethod` is set to `ebpf`.
+              '';
+            };
+
+            Rules.Path = mkOption {
+              type = types.path;
+              default = "/var/lib/opensnitch/rules";
+              description = mdDoc ''
+                Path to the directory where firewall rules can be found and will
+                get stored by the NixOS module.
+              '';
+            };
+
          };
        };
        description = mdDoc ''
@ -151,40 +167,42 @@ in {

    systemd = {
      packages = [ pkgs.opensnitch ];
-      services.opensnitchd.wantedBy = [ "multi-user.target" ];
+      services.opensnitchd = {
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = [
+            ""
+            "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}"
+          ];
+        };
+        preStart = mkIf (cfg.rules != {}) (let
+          rules = flip mapAttrsToList predefinedRules (file: content: {
+          inherit (content) file;
+          local = "${cfg.settings.Rules.Path}/${file}.json";
+        });
+        in ''
+          # Remove all firewall rules from rules path (configured with
+          # cfg.settings.Rules.Path) that are symlinks to a store-path, but aren't
+          # declared in `cfg.rules` (i.e. all networks that were "removed" from
+          # `cfg.rules`).
+          find ${cfg.settings.Rules.Path} -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) ''
+            -not \( ${concatMapStringsSep " -o " ({ local, ... }:
+              "-name '${baseNameOf local}*'")
+            rules} \) \
+          ''} -delete
+          ${concatMapStrings ({ file, local }: ''
+            ln -sf '${file}' "${local}"
+          '') rules}
+        '');
+      };
+      tmpfiles.rules = [
+        "d ${cfg.settings.Rules.Path} 0750 root root - -"
+        "L+ /etc/opensnitchd/system-fw.json - - - - ${pkgs.opensnitch}/etc/opensnitchd/system-fw.json"
+      ];
    };

-    systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let
-      rules = flip mapAttrsToList predefinedRules (file: content: {
-        inherit (content) file;
-        local = "/var/lib/opensnitch/rules/${file}.json";
-      });
-    in ''
-      # Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path,
-      # but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from
-      # `cfg.rules`).
-      find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) ''
-        -not \( ${concatMapStringsSep " -o " ({ local, ... }:
-          "-name '${baseNameOf local}*'")
-        rules} \) \
-      ''} -delete
-      ${concatMapStrings ({ file, local }: ''
-        ln -sf '${file}' "${local}"
-      '') rules}
-
-      if [ ! -f /etc/opensnitchd/system-fw.json ]; then
-        cp "${pkgs.opensnitch}/etc/opensnitchd/system-fw.json" "/etc/opensnitchd/system-fw.json"
-      fi
-    '');
-
-    environment.etc = mkMerge [ ({
-      "opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;
-    }) (mkIf (cfg.settings.ProcMonitorMethod == "ebpf") {
-      "opensnitchd/opensnitch.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch.o";
-      "opensnitchd/opensnitch-dns.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-dns.o";
-      "opensnitchd/opensnitch-procs.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-procs.o";
-    })];
-
  };
+
+  meta.maintainers = with lib.maintainers; [ onny ];
 }