Improvements for desktop

stusmall · Nov 30, 2024 · 0a3a194 · 0a3a194
1 parent ca04aff
commit 0a3a194
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 34 deletions.
diff --git a/modules/slack.nix b/modules/slack.nix
@@ -5,8 +5,8 @@
   ];
 
   services.opensnitch.rules = {
-    rule-900-slack-1 = {
-      name = "Allow Slack Rule 1";
+    rule-900-slack = {
+      name = "Allow Slack Rule";
       enabled = true;
       action = "allow";
       duration = "always";
@@ -18,12 +18,7 @@
             type = "simple";
             operand = "process.path";
             sensitive = false;
-            data = "${lib.getBin pkgs.zoom-us}/bin/avahi-daemon";
-          }
-          {
-            type = "network";
-            operand = "dest.network";
-            data = "3.7.35.0/25";
+            data = "${lib.getBin pkgs.slack}/lib/slack/slack";
           }
         ];
       };

diff --git a/modules/work.nix b/modules/work.nix
@@ -9,41 +9,44 @@
   services.tailscale.enable = lib.mkForce true;
 
 
-
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-
   services.opensnitch.rules = {
-    rule-012-cargo = {
-      name = "Allow cargo";
-      enable = true;
+    # Since we have encrypted DNS disabled we should whitelist nsncd.  This is unfortunately a very broad whitelist
+    rule-100-dns = {
+      name = "Allow DNS from nsncd";
+      enabled = true;
       action = "allow";
       duration = "always";
       operator = {
         type = "list";
         operand = "list";
         list = [
           {
-            type = "regexp";
+            type = "simple";
+            sensitive = false;
             operand = "process.path";
-            # Since we might have multiple rust versions installed we can't work off the exact path
-            data = ".*cargo$";
+            data = "${lib.getBin pkgs.nsncd}/bin/nsncd";
           }
           {
-            type = "regexp";
-            operand = "dest.host";
+            type = "simple";
+            operand = "protocol";
             sensitive = false;
-            data = "^(([a-z0-9|-]+\.)*crates\.io|github\.com|)$";
+            data = "udp";
+          }
+          {
+            type = "simple";
+            operand = "dest.port";
+            sensitive = false;
+            data = "53";
           }
-
         ];
       };
     };
-    rule-013-curl = {
-      # name = "Allow some expected curl desinations from work flake";
-      enable = true;
+    # Once again unfortunately pretty broad.  We don't have great view into what tailscale will connect to or do.
+    rule-100-tailscale = {
+      name = "Allow tailscale";
+      enabled = true;
       action = "allow";
+      duration = "always";
       operator = {
         type = "list";
         operand = "list";
@@ -52,16 +55,16 @@
             type = "simple";
             sensitive = false;
             operand = "process.path";
-            data = "${lib.getBin pkgs.curl}/bin/curl";
-          }
-          {
-            type = "simple";
-            operand = "dest.host";
-            sensitive = false;
-            data = "tarballs.nixos.org";
+            data = "${lib.getBin pkgs.tailscale}/bin/.tailscaled-wrapper";
           }
         ];
       };
     };
   };
+
+
+
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
 }
diff --git a/modules/zoom.nix b/modules/zoom.nix
@@ -16,7 +16,7 @@
         type = "simple";
         sensitive = false;
         operand = "process.path";
-        data = "${lib.getBin pkgs.zoom-us}opt/zoom/.zoom";
+        data = "${lib.getBin pkgs.zoom-us}/opt/zoom/.zoom";
       };
     };
   };