diff options
author | Jonas Heinrich <onny@project-insanity.org> | 2023-05-03 10:43:17 +0200 |
---|---|---|
committer | Yt <happysalada@tuta.io> | 2023-08-13 22:19:48 +0800 |
commit | c5f4a460368cd1d43c41a72a2523f689ee29e398 (patch) | |
tree | db6a95dc3fb90e7d52cce2762222749f2c962d72 /nixos/modules/services/security | |
parent | 821e188af56925b10be0fd835d651f327dd9a8ee (diff) | |
download | nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar.gz nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar.bz2 nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar.lz nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar.xz nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.tar.zst nixlib-c5f4a460368cd1d43c41a72a2523f689ee29e398.zip |
nixos/opensnitch: Add support for EPBF process monitor
Co-authored-by: Slime90
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/opensnitch.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 98695b1ef060..013aeb16756c 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -147,7 +147,7 @@ in { config = mkIf cfg.enable { # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected - services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/default-config.json"))); + services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/opensnitchd/default-config.json"))); systemd = { packages = [ pkgs.opensnitch ]; @@ -171,9 +171,19 @@ in { ${concatMapStrings ({ file, local }: '' ln -sf '${file}' "${local}" '') rules} + + if [ ! -f /etc/opensnitch-system-fw.json ]; then + cp "${pkgs.opensnitch}/etc/opensnitchd/system-fw.json" "/etc/opensnitchd/system-fw.json" + fi ''); - environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; + environment.etc = mkMerge [ ({ + "opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; + }) (mkIf (cfg.settings.ProcMonitorMethod == "ebpf") { + "opensnitchd/opensnitch.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch.o"; + "opensnitchd/opensnitch-dns.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-dns.o"; + "opensnitchd/opensnitch-procs.o".source = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd/opensnitch-procs.o"; + })]; }; } |