merge

configs/manager.nix

@@ -26,7 +26,6 @@ in
     };
 
     imports = [./tailnet.nix];
-
     config = mkIf config.nixManager.enable {
       sops.defaultSopsFile = config.xin-secrets.manager;
       sops.secrets = {
@@ -38,13 +37,11 @@ in
         ca_cert = {owner = config.nixManager.user;};
         po_env = {owner = config.nixManager.user;};
       };
-
       environment.systemPackages = [
         microca
         inputs.xintray.packages.${pkgs.system}.xintray
         inputs.po.packages.${pkgs.system}.po
       ];
-
       networking = {
         hosts = {
           "66.135.2.235" = ["ns1"];

flake.nix

@@ -98,7 +98,10 @@
     xintray,
     ...
   } @ inputs: let
-    xinlib = import ./lib {inherit (unstable) lib;};
+    xinlib = import ./lib {
+      inherit (unstable) lib;
+      inherit (unstable.legacyPackages.x86_64-linux) writeTextFile linkFarm;
+    };
     supportedSystems = ["x86_64-linux"];
     #[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
     forAllSystems = unstable.lib.genAttrs supportedSystems;
@@ -231,22 +234,6 @@
         ];
       };
 
-      #weatherzero = buildSys "armv6l" stable [
-      #  "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
-      #  {
-      #    nixpkgs = {
-      #      buildPlatform = {
-      #        system = "x86_64-linux";
-      #        config = "x86_64-unknown-linux-gnu";
-      #      };
-      #      hostPlatform = {
-      #        system = "armv6l-linux";
-      #        config = "armv6l-unknown-linux-gnueabihf";
-      #      };
-      #    };
-      #  }
-      #] "weatherzero";
-
       isoInstall = stable.lib.nixosSystem {
         system = "x86_64-linux";
 

hosts/europa/default.nix

@@ -5,8 +5,10 @@
   lib,
   xinlib,
   ...
-}: let
+}:
-  inherit (inputs.stable.legacyPackages.${pkgs.system}) chirp;
+with lib; let
+  inherit (builtins) map hasAttr;
+  inherit (xinlib) jobToUserService osRuleMaker;
   restic = pkgs.writeScriptBin "restic" (import ../../bins/restic.nix {
     inherit pkgs;
     inherit lib;
@@ -165,6 +167,33 @@ in {
   services.xinCA = {enable = false;};
 
   services = {
+    opensnitch = {
+      enable = true;
+      rules = {
+        tailscale =
+          osRuleMaker.allowBinAll "tailscale"
+          "${getBin pkgs.tailscale}/bin/.tailscaled-wrapped";
+        openssh =
+          osRuleMaker.allowBinAll "openssh" "${getBin pkgs.openssh}/bin/ssh";
+        mosh =
+          osRuleMaker.allowBinAll "mosh" "${getBin pkgs.mosh}/bin/mosh-client";
+        systemd-resolved =
+          osRuleMaker.allowBinAll "systemd-resolved"
+          "${getBin pkgs.systemd}/lib/systemd/systemd-resolved";
+        blocked-hosts = osRuleMaker.makeREList "blocked-hosts" "deny" [
+          "facebook.com"
+          "facebook.net"
+          "pusher.com"
+          "www.facebook.com"
+        ];
+        allowed-hosts = osRuleMaker.makeREList "allowed-hosts" "allow" [
+          "tapenet.org"
+          "bolddaemon.com"
+          "suah.dev"
+          "humpback-trout.ts.net"
+        ];
+      };
+    };
     avahi = {
       enable = true;
       openFirewall = true;
@@ -231,8 +260,7 @@ in {
     ''
   ];
 
-  systemd.user.services =
+  systemd.user.services = lib.listToAttrs (map jobToUserService jobs);
-    lib.listToAttrs (builtins.map xinlib.jobToUserService jobs);
   systemd.services."whytailscalewhy" = {
     description = "Tailscale restart on resume";
     wantedBy = ["post-resume.target"];
@@ -264,6 +292,7 @@ in {
   };
 
   environment.systemPackages = with pkgs; [
+    opensnitch-ui
     doom-emacs
     barrier
     calibre

lib/default.nix

@@ -1,5 +1,23 @@
-{lib, ...}: let
+{
-  inherit (builtins) toString readFile fromJSON filter;
+  lib,
+  writeTextFile,
+  linkFarm,
+  ...
+}: let
+  inherit
+    (builtins)
+    toString
+    readFile
+    fromJSON
+    filter
+    concatStringsSep
+    map
+    ;
+  makeListReFile = name: list:
+    writeTextFile {
+      inherit name;
+      text = concatStringsSep "\n" (map (h: ".*(^|\\.)${h}$") list);
+    };
   getPrStatus = pr: let
     prstr = toString pr;
     prStatus = fromJSON (readFile ../pull_requests/${prstr}.json);
@@ -33,6 +51,52 @@
         } (${prStatus.title}) is complete, ignoring overlay..." (_: _: {});
   };
 
+  osRuleMaker = {
+    allowBinAll = name: bin: {
+      name = "${name}";
+      enabled = true;
+      precidence = false;
+      action = "allow";
+      duration = "always";
+      operator = {
+        type = "simple";
+        sensitive = false;
+        operand = "process.path";
+        data = "${bin}";
+      };
+    };
+    makeBinList = name: action: bin: list: {
+      inherit action name;
+      enabled = true;
+      precidence = true;
+      duration = "always";
+      operator = {
+        type = "lists";
+        operand = "lists";
+        sensitive = false;
+        list = [{} {}];
+      };
+    };
+    makeREList = name: action: list: {
+      inherit action name;
+      enabled = true;
+      precidence = true;
+      duration = "always";
+      operator = {
+        type = "lists";
+        operand = "lists.domains_regexp";
+        sensitive = false;
+        data = linkFarm "${name}-${action}-dir" [
+          {
+            name = "${name}-${action}-file";
+            path = makeListReFile "${name}-${action}-list" list;
+          }
+        ];
+        list = [];
+      };
+    };
+  };
+
   todo = msg: lib.warn "TODO: ${msg}";
 
   filterList = pkgList: filter (x: x != null) pkgList;
@@ -108,6 +172,7 @@
       prIsOpen
       filterList
       todo
+      osRuleMaker
       ;
   };
 in