Compare commits
4 Commits
main
...
opensnitch
| Author | SHA1 | Date | |
|---|---|---|---|
| 91544b0b5b | |||
| bacc799c7a | |||
| c1ad38e816 | |||
| cd8ba78e70 |
@ -26,7 +26,6 @@ in
|
||||
};
|
||||
|
||||
imports = [./tailnet.nix];
|
||||
|
||||
config = mkIf config.nixManager.enable {
|
||||
sops.defaultSopsFile = config.xin-secrets.manager;
|
||||
sops.secrets = {
|
||||
@ -38,13 +37,11 @@ in
|
||||
ca_cert = {owner = config.nixManager.user;};
|
||||
po_env = {owner = config.nixManager.user;};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
microca
|
||||
inputs.xintray.packages.${pkgs.system}.xintray
|
||||
inputs.po.packages.${pkgs.system}.po
|
||||
];
|
||||
|
||||
networking = {
|
||||
hosts = {
|
||||
"66.135.2.235" = ["ns1"];
|
||||
|
||||
21
flake.nix
21
flake.nix
@ -98,7 +98,10 @@
|
||||
xintray,
|
||||
...
|
||||
} @ inputs: let
|
||||
xinlib = import ./lib {inherit (unstable) lib;};
|
||||
xinlib = import ./lib {
|
||||
inherit (unstable) lib;
|
||||
inherit (unstable.legacyPackages.x86_64-linux) writeTextFile linkFarm;
|
||||
};
|
||||
supportedSystems = ["x86_64-linux"];
|
||||
#[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
|
||||
forAllSystems = unstable.lib.genAttrs supportedSystems;
|
||||
@ -231,22 +234,6 @@
|
||||
];
|
||||
};
|
||||
|
||||
#weatherzero = buildSys "armv6l" stable [
|
||||
# "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
|
||||
# {
|
||||
# nixpkgs = {
|
||||
# buildPlatform = {
|
||||
# system = "x86_64-linux";
|
||||
# config = "x86_64-unknown-linux-gnu";
|
||||
# };
|
||||
# hostPlatform = {
|
||||
# system = "armv6l-linux";
|
||||
# config = "armv6l-unknown-linux-gnueabihf";
|
||||
# };
|
||||
# };
|
||||
# }
|
||||
#] "weatherzero";
|
||||
|
||||
isoInstall = stable.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
|
||||
|
||||
@ -5,8 +5,10 @@
|
||||
lib,
|
||||
xinlib,
|
||||
...
|
||||
}: let
|
||||
inherit (inputs.stable.legacyPackages.${pkgs.system}) chirp;
|
||||
}:
|
||||
with lib; let
|
||||
inherit (builtins) map hasAttr;
|
||||
inherit (xinlib) jobToUserService osRuleMaker;
|
||||
restic = pkgs.writeScriptBin "restic" (import ../../bins/restic.nix {
|
||||
inherit pkgs;
|
||||
inherit lib;
|
||||
@ -165,6 +167,33 @@ in {
|
||||
services.xinCA = {enable = false;};
|
||||
|
||||
services = {
|
||||
opensnitch = {
|
||||
enable = true;
|
||||
rules = {
|
||||
tailscale =
|
||||
osRuleMaker.allowBinAll "tailscale"
|
||||
"${getBin pkgs.tailscale}/bin/.tailscaled-wrapped";
|
||||
openssh =
|
||||
osRuleMaker.allowBinAll "openssh" "${getBin pkgs.openssh}/bin/ssh";
|
||||
mosh =
|
||||
osRuleMaker.allowBinAll "mosh" "${getBin pkgs.mosh}/bin/mosh-client";
|
||||
systemd-resolved =
|
||||
osRuleMaker.allowBinAll "systemd-resolved"
|
||||
"${getBin pkgs.systemd}/lib/systemd/systemd-resolved";
|
||||
blocked-hosts = osRuleMaker.makeREList "blocked-hosts" "deny" [
|
||||
"facebook.com"
|
||||
"facebook.net"
|
||||
"pusher.com"
|
||||
"www.facebook.com"
|
||||
];
|
||||
allowed-hosts = osRuleMaker.makeREList "allowed-hosts" "allow" [
|
||||
"tapenet.org"
|
||||
"bolddaemon.com"
|
||||
"suah.dev"
|
||||
"humpback-trout.ts.net"
|
||||
];
|
||||
};
|
||||
};
|
||||
avahi = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
@ -231,8 +260,7 @@ in {
|
||||
''
|
||||
];
|
||||
|
||||
systemd.user.services =
|
||||
lib.listToAttrs (builtins.map xinlib.jobToUserService jobs);
|
||||
systemd.user.services = lib.listToAttrs (map jobToUserService jobs);
|
||||
systemd.services."whytailscalewhy" = {
|
||||
description = "Tailscale restart on resume";
|
||||
wantedBy = ["post-resume.target"];
|
||||
@ -264,6 +292,7 @@ in {
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
opensnitch-ui
|
||||
doom-emacs
|
||||
barrier
|
||||
calibre
|
||||
|
||||
@ -1,5 +1,23 @@
|
||||
{lib, ...}: let
|
||||
inherit (builtins) toString readFile fromJSON filter;
|
||||
{
|
||||
lib,
|
||||
writeTextFile,
|
||||
linkFarm,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(builtins)
|
||||
toString
|
||||
readFile
|
||||
fromJSON
|
||||
filter
|
||||
concatStringsSep
|
||||
map
|
||||
;
|
||||
makeListReFile = name: list:
|
||||
writeTextFile {
|
||||
inherit name;
|
||||
text = concatStringsSep "\n" (map (h: ".*(^|\\.)${h}$") list);
|
||||
};
|
||||
getPrStatus = pr: let
|
||||
prstr = toString pr;
|
||||
prStatus = fromJSON (readFile ../pull_requests/${prstr}.json);
|
||||
@ -33,6 +51,52 @@
|
||||
} (${prStatus.title}) is complete, ignoring overlay..." (_: _: {});
|
||||
};
|
||||
|
||||
osRuleMaker = {
|
||||
allowBinAll = name: bin: {
|
||||
name = "${name}";
|
||||
enabled = true;
|
||||
precidence = false;
|
||||
action = "allow";
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "simple";
|
||||
sensitive = false;
|
||||
operand = "process.path";
|
||||
data = "${bin}";
|
||||
};
|
||||
};
|
||||
makeBinList = name: action: bin: list: {
|
||||
inherit action name;
|
||||
enabled = true;
|
||||
precidence = true;
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "lists";
|
||||
operand = "lists";
|
||||
sensitive = false;
|
||||
list = [{} {}];
|
||||
};
|
||||
};
|
||||
makeREList = name: action: list: {
|
||||
inherit action name;
|
||||
enabled = true;
|
||||
precidence = true;
|
||||
duration = "always";
|
||||
operator = {
|
||||
type = "lists";
|
||||
operand = "lists.domains_regexp";
|
||||
sensitive = false;
|
||||
data = linkFarm "${name}-${action}-dir" [
|
||||
{
|
||||
name = "${name}-${action}-file";
|
||||
path = makeListReFile "${name}-${action}-list" list;
|
||||
}
|
||||
];
|
||||
list = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
todo = msg: lib.warn "TODO: ${msg}";
|
||||
|
||||
filterList = pkgList: filter (x: x != null) pkgList;
|
||||
@ -108,6 +172,7 @@
|
||||
prIsOpen
|
||||
filterList
|
||||
todo
|
||||
osRuleMaker
|
||||
;
|
||||
};
|
||||
in
|
||||
|
||||
Loading…
Reference in New Issue
Block a user