Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Opensnitch: init at 1.0.0b and provide NixOS module #76897

Closed
wants to merge 2 commits into from

Conversation

timor
Copy link
Member

@timor timor commented Jan 3, 2020

Motivation for this change

Opensnitch seems to be a useful personal firewall application to control (at the moment only outgoing) connections per process/user/destination.
See also: #76610

Things done

The package provides two attributes, the daemon opensnitchd and the UI program opensnitch-ui, which are built from the same source.

Additionally, a NixOS module is provided which starts the daemon as a system service, and (default behavior) runs the UI process in each user's graphical session as a user service.

Some support is added for generating some predefined rules, as e.g. per-process rules, which have been created via the UI prompt, become obsolete if the store path to a program changes.

Issues:

  • Had some problems trying to put the socket file under /run/..., so it currently resides under the default /tmp

  • Permissions of log files, socket file and rules files could be wrong

  • Upstream uses version 1.0.0b, but there seems to be no definitive release. Since upstream also advertises this as unstable, I added the commit date to the version number

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)

  • Built on platform(s)

    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)

  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"

  • Tested execution of all binary files (usually in ./result/bin/)

  • Determined the impact on package closure size (by running nix path-info -S before and after)

  • Ensured that relevant documentation is up to date

  • Fits CONTRIBUTING.md.

NOTE:

  • Developed and tested the package and the module on 19.09
  • Only tested evaluation on master

@adisbladis
Copy link
Member

Opensnitch is not maintained, it also does not yet have a tagged release (not even a beta release).
I don't think it belongs in Nixpkgs.

@timor
Copy link
Member Author

timor commented Jan 7, 2020

There is a fork which aimed to stabilize a version recently (end of 2019). I'll see how that works. If it makes sense, I will open a new PR.

@timor timor closed this Jan 7, 2020
@onny
Copy link
Contributor

onny commented Jul 17, 2020

There is a fork which aimed to stabilize a version recently (end of 2019). I'll see how that works. If it makes sense, I will open a new PR.

That would be great! There's already a stable version 1.0 https://github.com/gustavo-iniguez-goya/opensnitch/releases/tag/v1.0.0 Looks really well maintained!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants