nixos/opensnitch: Add module for opensnitch

[onny]

Motivation for this change

Opensnitch is one of the few Linux application firewalls. It is well maintained and we already have a package for it in Nixpkgs. As requested in this issue, this PR provides a module for OpenSnitch.

This PR is a continuation of an earlier one. It just enables the systemd service without any further configuration, which is not needed for using the daemon.

It depends on an other PR for including systemd unit files in the opensnitch package.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes (or backporting 21.05 Relase notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[aanderse]

Great module. Would merge as is. I have left some comments... they are all nitpicks, though. Hopefully nothing too annoying. If you want a hand with anything, or strongly disagree, please do mention.

Would it be possible in a future PR to read in the NixOS firewall rules and apply them here as well?

[aanderse]

I believe the same comment about default above applies here as well...

[onny]

I reworked this PR and module which now simply enables the opensnitch systemd service. Depends on including systemd unit files in opensnitch package.

[aanderse]

@onny sorry for the delay. All tested, ready to merge? LGTM 👍

[onny]

It works fine but it depends on this PR #137679 :)

[onny]

#137679 got merged and this PR is ready to go ;)

[aanderse]

@onny awesome stuff. What are the plans from here? Once the ui is in place what happens if a sysadmin has set rules with the NixOS firewall declaratively? If a user modifies these NixOS rules with opensnitch the rules will come back as soon as the firewall is reloaded.

Thoughts?

[asdf8dfafjk]

Stuff like this is when you kinda wish github added all the stars/bouquets one has received :)

[asdf8dfafjk]

For anyone only following the "latest" post- rules are in /var/lib/opensnitch/rules

Also, for those who didn't know, like me, opensnitch bundles adblocking too (https://github.com/evilsocket/opensnitch/blob/be32ddc574f70157e214f9018ea42e4b24148202/utils/legacy/make_ads_rules.py), although looks like this has some hardcoded paths too.

A bit of suggestion for future work "to whomsoever it might concern :)"

Ideally there would be "nixy" way of specifying rules so that every update doesn't need me to recreate all the rules (would get boring soon). A starting point for that work could be https://github.com/evilsocket/opensnitch/blob/8d3540f7f95b40afdd44255ab0ab22ce23cbd333/daemon/rule/rule.go. So I envisage an array of options with the fields same as the go file that would be serialized to a json inside /var/lib/opensnitch/rules.

[onny]

@onny awesome stuff. What are the plans from here? Once the ui is in place what happens if a sysadmin has set rules with the NixOS firewall declaratively? If a user modifies these NixOS rules with opensnitch the rules will come back as soon as the firewall is reloaded.

Thoughts?

I'm planning to add the UI part as a service/module to home-manager. I'm only using it to ask for all apps as default without any predefined rules. So this is not my use case and maybe someone else could add further config options?