Merge pull request #132319 from onny/opensnitch

nixos/opensnitch: Add module for opensnitch

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

@@ -128,6 +128,13 @@
           <link linkend="opt-services.vikunja.enable">services.vikunja</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/evilsocket/opensnitch">opensnitch</link>,
+          an application firewall. Available as
+          <link linkend="opt-services.opensnitch.enable">services.opensnitch</link>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <link xlink:href="https://www.snapraid.it/">snapraid</link>, a

nixos/doc/manual/release-notes/rl-2111.section.md

@@ -41,6 +41,8 @@ pt-services.clipcat.enable).
 
 - [vikunja](https://vikunja.io), a to-do list app. Available as [services.vikunja](#opt-services.vikunja.enable).
 
+- [opensnitch](https://github.com/evilsocket/opensnitch), an application firewall. Available as [services.opensnitch](#opt-services.opensnitch.enable).
+
 - [snapraid](https://www.snapraid.it/), a backup program for disk arrays.
   Available as [snapraid](#opt-snapraid.enable).
 

nixos/modules/module-list.nix

@@ -915,6 +915,7 @@
   ./services/security/nginx-sso.nix
   ./services/security/oauth2_proxy.nix
   ./services/security/oauth2_proxy_nginx.nix
+  ./services/security/opensnitch.nix
   ./services/security/privacyidea.nix
   ./services/security/physlock.nix
   ./services/security/shibboleth-sp.nix

nixos/modules/services/security/opensnitch.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  name = "opensnitch";
+  cfg = config.services.opensnitch;
+in {
+  options = {
+    services.opensnitch = {
+      enable = mkEnableOption "Opensnitch application firewall";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd = {
+      packages = [ pkgs.opensnitch ];
+      services.opensnitchd.wantedBy = [ "multi-user.target" ];
+    };
+
+  };
+}
+