GitHub icon
Software

Setup OpenSnitch on NixOS

onny

2 min read

Since a few days, the Linux application firewall OpenSnitch is available in the unstable channel of NixOS. It already works great but there is no easy way to deploy it yet. Here’s a short tutorial on how to setup it manually.

An application requesting network access through OpenSnitch

First of all, make sure you use and import the unstable channel in your configuration

{ config, pkgs, lib, … }:
 let
 unstable = import <nixos-unstable> {};
 in
 {
[...]

You’ll also have to add and update the channel

nix-channel --add https://nixos.org/channels/nixos-unstable nixos-unstable
nix-channel --update

Add the required packages to the systemPackages config

[...]
  environment = {
    systemPackages = with pkgs; [
      unstable.opensnitch
      unstable.opensnitch-ui
[...]

We’ll have to run the background daemon opensnitchd startup as a Systemd service

systemd = {
  services = {
    opensnitch = {
      description = "Opensnitch Application Firewall Daemon";
      wants = ["network.target"]; 
      after = ["network.target"]; 
      wantedBy = ["multi-user.target"];
      path = [ pkgs.iptables ];
      serviceConfig = {
        Type = "simple";
        PermissionsStartOnly = true;
        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /etc/opensnitch/rules"; 
        ExecStart = "${unstable.opensnitch}/bin/opensnitchd -rules-path /etc/opensnitch/rules"; 
        Restart = "always";
        RestartSec = 30;
      };
      enable = true;
    };
  };
};

You can change the path to the rules-directory according to your needs.

In the next step we’ll want to autostart opensnitch-ui which is the graphical userland application asking for permissions. In my case I’m using the sway window manager and it’s possible to configure the applications which will run at start

wayland.windowManager.sway = {
  enable = true;
  config = {
    [...]
    startup = [
      { command = "opensnitch-ui"; }
    ];
    floating.criteria = [
      { "title" = "^OpenSnitch v.*"; }
    ]
[...]

The floating criteria configuration is necessary to display the popup windows of opensnitch-ui correctly.

That’s it :) After a reboot, you should see OpenSnitch start asking for permissions!

💬 Are you interested in our work or have some questions? Join us in our public Signal chat pi crew 👋
🪙 If you like our work or want to supprot us, you can donate MobileCoins to our address.

Comments

  2. It depends if the systemd service is starting correctly after rebuild. Otherwise a reboot ensures that daemon and client are run after boot

Leave a Reply

Your email address will not be published. Required fields are marked *