Best way to automatically restart Opensnitch in NixOS?

guttermonk · March 25, 2025, 9:50pm

Reading through this stack, I was wondering what’s the best nix-way to keep Opensnitch running across hibernates. Currently, Opensnitch dies about half the time after hibernating my laptop.

I currently have the following in configuration.nix:

services.opensnitch.enable = true;

And the following in home.nix:

services.opensnitch-ui.enable = true;

guttermonk · March 28, 2025, 3:26am

I didn’t find any additional info in the Opensnitch Wiki or the Nixos Wiki: Opensnitch. So I added the following script to my system scripts:

  post-hibernate-cpr = pkgs.writeShellScriptBin "post-hibernate-cpr" ''
    if ! pgrep -x "opensnitchd" > /dev/null; then
      systemctl enable --user --now opensnitch
    fi
  '';

Then I added the following to to my hyprland config:

      bindl = [ ",switch:off:Lid Switch, exec, post-hibernate-cpr" ]

So far, so good. If there’s a better solution that gets to the root cause, please let me know so I can ditch this band-aid.

UPDATE: This doesn’t work. Still haven’t figured out the root cause.

phanirithvij · March 28, 2025, 3:35am

If you find that it reliably works, I suggest adding it in the official nixos wiki OpenSnitch - NixOS Wiki (not the old nixos.wiki)

unless there is a better solution.

also hibernate - Script that is executed after resuming from hibernation? - Unix & Linux Stack Exchange for a general systemd service instead of something specific to hyprland. Code search results · GitHub

guttermonk · March 28, 2025, 12:08pm

Thank you for the reply. If this works, I will definitely try adding it to the wiki.

I’m curious about adding a post hibernate systemd service. A quick search for “00myscript nixos” didn’t return anything. Do you have any recommendations on how to go about trying this.

Also, my system already has a service for opensnitch with Restart=always. I wonder if this could be a bug with systemd, and if the solution to a systemd problem could really be adding an additional service. Worth a shot, I suppose. It would be a more general solution that would work for other users than my hyprland specific solution.

[Unit]
Description=Application firewall OpenSnitch
Documentation=https://github.com/evilsocket/opensnitch/wiki

[Service]
Type=simple
PermissionsStartOnly=true
ExecStart=/nix/store/66578x0nsgxqkcxrpkhqzcgimf2f0xp5-opensnitch-1.6.6/bin/opensnitchd -rules-path /etc/opensnitchd/rules
Restart=always
RestartSec=30
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target