Help with OpenSnitch

I’m trying to set up OpenSnitch, but there are some packages that I declare as pkgs.name, but I find them as /nix/store/.../name-1.2.3-extracted or /nix/store/.../name-1.2.3-unwrapped, there is no such version for this packages in the Nix Repo, and the store location id is different. How can I declare this differences?

I also need help with the syntax of the JSON config file, I added
services.opensnitch.settings = "/home/username/config.json";
but the syntax from upstream is not accepted and there’s no documentation for JSON syntax in NixOS.

Good luck. Pop open a REPL and go diving among the attributes of the derivation, and maybe you’ll find the path you’re looking for.

My OpenSnitch rules contain a lot of the following sort of things, of which type 3 is probably closest to what you’re talking about:

# Type 1 wrapped stuff:
  "${pkgs.mpv-unwrapped}/bin/mpv"
# Type 2 wrapped stuff:
  "${pkgs.evolution}/bin/.evolution-wrapped"
# Type 3 wrapped stuff:
  "${pkgs.ungoogled-chromium.browser}/libexec/chromium/chromium"

What I found is declaring this, for certain packages I get
/nix/store/.../mpv-1.2.3-extracted/bin/mpv

Is there a way to see what package a /nix/store/... path belongs to?

Can you share the full paths of what you are trying to find rather than ...?

/nix/store/rcvns6kf38zddhxq7q05msnjbyz8gmzd-electron-unwrapped-33.3.0/libexec/electron/electron

/nix/store/7xmnw0b726233nlpm1wcinzvw2l2f3x2-ungoogled-chromium-unwrapped-131.0.6778.204/libexec/chromium/chromium

/nix/store/zkyclgj54igrrns6dsicck3kbx727yvi-tutanota-desktop-250.241025.0-extracted/tutanota-desktop

This is just electron.unwrapped. As I said, pop open a REPL, poke around.

I literally gave you this one in my previous post.

Oh, this is an AppImage. Those suck. To get at this, and this often but doesn’t always work, try appimageTools.extract { inherit (tutanota-desktop) pname version src; }.

I’m sorry, I’m new to NixOS

I checked the sources and saw ungoogled-chromium is just chromium with additional flags, this doesn’t appear anywhere, how could I find that out by myself?

I don’t know what a REPL is or what do you want me to do. electron.unwrapped is not in the repo, I only see electron, electron-bin and electron-chromedriver, none of which works.

where do I put this? I also found session-desktop

/nix/store/s8bx7i3zi5vkklyhgmdrf4r372hfgwsb-session-desktop-1.13.2-extracted/session-desktop-bin

does that apply if I simply swap tutanota-desktop with session-desktop?

Didja try ‘nix repl’ in your favorite search engine?

Never mind, here, choose your favorite learning style:

In this case:

$ nix repl --file '<nixpkgs>'
Nix 2.24.11
Type :? for help.
Loading installable ''...
Added 22925 variables.
nix-repl> electron. [[hit the Tab key]]
electron.__ignoreNulls                electron.mesonFlags
electron.__structuredAttrs            electron.meta
electron.all                          electron.name
electron.args                         electron.nativeBuildInputs
electron.buildCommand                 electron.out
electron.buildInputs                  electron.outPath
electron.builder                      electron.outputName
electron.cmakeFlags                   electron.outputs
electron.configureFlags               electron.override
electron.depsBuildBuild               electron.overrideAttrs
electron.depsBuildBuildPropagated     electron.overrideDerivation
electron.depsBuildTarget              electron.passthru
electron.depsBuildTargetPropagated    electron.patches
electron.depsHostHost                 electron.pname
electron.depsHostHostPropagated       electron.propagatedBuildInputs
electron.depsTargetTarget             electron.propagatedNativeBuildInputs
electron.depsTargetTargetPropagated   electron.stdenv
electron.dist                         electron.strictDeps
electron.doCheck                      electron.system
electron.doInstallCheck               electron.type
electron.dontWrapGApps                electron.unwrapped
electron.drvAttrs                     electron.userHook
electron.drvPath                      electron.version
electron.headers
electron.inputDerivation

Okay, unwrapped looks likely.

nix-repl> electron.unwrapped
«derivation /nix/store/gind6qk2lfxr2yl1xf9qn4xch7kvi7ch-electron-unwrapped-33.3.0.drv»

Great, it’s a derivation. Does it have a matching path?

nix-repl> electron.unwrapped.outPath
"/nix/store/rcvns6kf38zddhxq7q05msnjbyz8gmzd-electron-unwrapped-33.3.0"

Success.

Now you try!

Good question. Evaluate it in the REPL and find out!

1 Like

Because this is a subtle point: a Nix expression that evaluates to a derivation, like electron, electron.unwrapped, or even appimageTools.extract { inherit (tutanota-desktop) pname version src; }, will look like «derivation /nix/store/....drv» in the REPL. But the path displayed there is the path of the derivation in the store; the path that the derivation is responsible for creating is called outPath (some derivations have other outputs, but let’s not get into that right now).

You can see outPath in the REPL by adding .outPath to the expression, as you saw me do above, but you also get the outPath when interpolating a derivation into a string, like with

"${ungoogled-chromium.browser}/libexec/chromium/chromium"

.

This holds equally for more complicated expressions like appimageTools.extract { inherit (tutanota-desktop) pname version src; }. You can get its output path like this:

(appimageTools.extract { inherit (tutanota-desktop) pname version src; }).outPath

or like this:

"${appimageTools.extract { inherit (tutanota-desktop) pname version src; }}"

though in a config file, most of us would define a local variable like this:

let
  tutanota-desktop-extracted = appimageTools.extract { inherit (tutanota-desktop) pname version src; };
in
"${tutanota-desktop-extracted}/tutanota-desktop"
1 Like

All the nix repl stuff is wizardry to me. Anyway, adding .unwrapped after electron, thus ${pkgs.electron.unwrapped}, seems to work, I will try adding it to those packages from now on.

But I don’t understand the AppImage thing, it gives back this error
error: undefined variable 'appimageTools'
I guess there’s probably a universal thing to append here too, but .extracted doesn’t work.

You’re among wizards now. Declining to face it will only keep you helpless. If you don’t want to learn the tools, this may not be the distro for you.

undefined variable means that appimageTools isn’t a name in scope. Nothing you put after that will help. In this case, appimageTools should be just another thing you get from pkgs, like your packages.

I’m trying to learn the basics, I do want to learn, but I seem to find an obstacle at every step, this distro is way harder than I expected.

There is no such package. I already enabled Appimage support in the OS with

  programs.appimage.enable = true;
  programs.appimage.binfmt = true;

and also installed appimagekit, but it made no difference.

Even nix-repl> electron.unwrapped returns the same error, do I miss some system package?

Can you paste a copy of what you’ve tried? Either config or REPL transcript? This really shouldn’t be a question of what you have installed or anything like that.

I tried in my terminal

nix repl --file tutanota-desktop

and also running nix repl and then

nix-repl> tutanota-desktop
nix-repl> (appimageTools.extract { inherit (tutanota-desktop) pname version src; }).outPath

all those fail

Ah, yeah, what you want is this exactly:

nix repl --file '<nixpkgs>'

Or, some prefer just nix repl and then, after entering the REPL:

nix-repl> :l <nixpkgs>

Same effect either way. If you see Added 22925 variables. or some similarly large number, it worked. Among those 22k variables will be tutanota-desktop and appimageTools.

The blog post I linked before covers this and lots of other getting-started details.

1 Like

Ok, that expression gave me the correct /nix/store path derivation as output. But how do I get the declarative option to get that path for the configuration.nix file?

I also tried with ungoogled-chromium and electron as you did, but I can’t see the options .browser and .unwrapped, I ony got those because of you.

If I try nix-repl> tutanota-desktop.extracted I get

error: attribute 'extracted' missing

Getting started? Really? That seems more like postgraduate stuff

Same thing. Use the REPL as a fast way to find the right expressions to use in your config. You’ll need to get things from pkgs, so for example, ungoogled-chromium.browser will have to be pkgs.ungoogled-chromium.browser, and more complicated expressions will need another pkgs. before each variable (or you can ‘cheat’ and preface the entire expression with with pkgs;, which is considered poor form in large expressions but for a one-liner can make things clearer IMO).

Okay, do you know about tab completion? (If you don’t, search it!) It works the same way in the Nix REPL as it does in a generic Linux terminal. (Other terminal tricks like using the up-arrow to summon up a previous line work in the REPL too.)

Yes, again, tutanota-desktop is derived from an AppImage, so you’ll need to use appimageTools to rederive the path to the extracted files.

Ok I think I get it now, so with electron and ungoogled-chromium I would have to guess what to put after the period and try one by one until I find the correct path,
but with Appimages this can’t be done and must be evaluated differently,
but adding something like ${pkgs.ungoogled-chromium.browser} won’t do and I need a more complicated expression. Correct?
But (appimageTools.extract { inherit (tutanota-desktop) pname version src; }).outPath is not accepted in the configuration file, so I don’t know how to invoke the whole thing. Does the rederivation happen in nix repl? If so how?

Yup, though if you know you’re looking for /nix/store/…-electron-unwrapped-33.3.0, and you see electron.unwrapped in the list of things after you type electron. and hit Tab, that’s a good guess to try first! Chromium is admittedly harder to figure out.

Well, that should work for ungoogled-chromium. But if you mean that you won’t find an equivalently simple expression for AppImage-based packages, that’s correct.

It should be, once you’ve either put pkgs. in front of all the variables, inherited them from pkgs, or used a with pkgs;. (The final .outPath is unnecessary if you’re interpolating.)

I tried many times in many ways, nothing seems to work. What is the correct syntax for configuration.nix?