| blob | 1612b0edf01680f2ec13b75365b42c0a10356d44 |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.opensnitch;
7 format = pkgs.formats.json {};
8 in {
9 options = {
10 services.opensnitch = {
11 enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall");
12 settings = mkOption {
13 type = types.submodule {
14 freeformType = format.type;
16 options = {
17 Server = {
19 Address = mkOption {
20 type = types.str;
21 description = lib.mdDoc ''
22 Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is
23 mandatory) or TCP socket (192.168.1.100:50051).
24 '';
25 };
27 LogFile = mkOption {
28 type = types.path;
29 description = lib.mdDoc ''
30 File to write logs to (use /dev/stdout to write logs to standard
31 output).
32 '';
33 };
35 };
37 DefaultAction = mkOption {
38 type = types.enum [ "allow" "deny" ];
39 description = lib.mdDoc ''
40 Default action whether to block or allow application internet
41 access.
42 '';
43 };
45 DefaultDuration = mkOption {
46 type = types.enum [
47 "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
48 ];
49 description = lib.mdDoc ''
50 Default duration of firewall rule.
51 '';
52 };
54 InterceptUnknown = mkOption {
55 type = types.bool;
56 description = lib.mdDoc ''
57 Wheter to intercept spare connections.
58 '';
59 };
61 ProcMonitorMethod = mkOption {
62 type = types.enum [ "ebpf" "proc" "ftrace" "audit" ];
63 description = lib.mdDoc ''
64 Which process monitoring method to use.
65 '';
66 };
68 LogLevel = mkOption {
69 type = types.enum [ 0 1 2 3 4 ];
70 description = lib.mdDoc ''
71 Default log level from 0 to 4 (debug, info, important, warning,
72 error).
73 '';
74 };
76 Firewall = mkOption {
77 type = types.enum [ "iptables" "nftables" ];
78 description = lib.mdDoc ''
79 Which firewall backend to use.
80 '';
81 };
83 Stats = {
85 MaxEvents = mkOption {
86 type = types.int;
87 description = lib.mdDoc ''
88 Max events to send to the GUI.
89 '';
90 };
92 MaxStats = mkOption {
93 type = types.int;
94 description = lib.mdDoc ''
95 Max stats per item to keep in backlog.
96 '';
97 };
99 };
100 };
101 };
102 description = lib.mdDoc ''
103 opensnitchd configuration. Refer to
104 <https://github.com/evilsocket/opensnitch/wiki/Configurations>
105 for details on supported values.
106 '';
107 };
108 };
109 };
111 config = mkIf cfg.enable {
113 # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected
114 services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/default-config.json")));
116 systemd = {
117 packages = [ pkgs.opensnitch ];
118 services.opensnitchd.wantedBy = [ "multi-user.target" ];
119 };
121 environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;
123 };
124 }