Help with OpenSnitch

What did you try? You need to put pkgs. in front of the attributes that come from the nixpkgs set of packages.

I tried
(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath
and
(appimageTools.extract { inherit (${pkgs.tutanota-desktop}) pname version src; }).outPath
and I don’t remember what else.
I don’t know the syntax, could you tell me exactly what to write? These hints are too difficult for me

appimageTools also comes from pkgs. That wasn’t a hint, I believe rhendric explicitly said that before.

It doesn’t work, I think because there is no such package.
So usually I would enter
"${pkgs.tutanota-desktop}/tutanota-desktop"
What do I write instead?

What doesn’t work, and what is the error? If you actually want help debugging, you need to provide that every time you try something new. And ideally the code should be shown in context.

The output is

"data": "(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath/tutanota-desktop"

so I’m asked to add a rule on the fly, which outputs

"data": "/nix/store/zkyclgj54igrrns6dsicck3kbx727yvi-tutanota-desktop-250.241025.0-extracted/tutanota-desktop"

but entering

(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath

in nix repl actually outputs

"/nix/store/zkyclgj54igrrns6dsicck3kbx727yvi-tutanota-desktop-250.241025.0-extracted"

So I don’t understand why it doesn’t work. With session-desktop instead I get a wrong path, with both session-desktop and session-desktop-appimage, which are the only two possibilities.

What doesn’t work? Those paths are the same, except the first path has /tutanota-desktop at the end. So you can put that at the end of the second path?

No, that’s the rule generated by opensnitch from my configuration, this

"data": "(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath/tutanota-desktop"

so it doesn’t work and the software asks me for a rule on the fly, that actually is

"data": "/nix/store/zkyclgj54igrrns6dsicck3kbx727yvi-tutanota-desktop-250.241025.0-extracted/tutanota-desktop"

so that expression is not converted in an actual path by opensnitch

Does that mean you are configuring using the GUI? That won’t work because it does not know how to interpret the Nix code.

If you use configuration.nix maybe it would help posting it here.

1 Like

I’m using configuration.nix here are the entries

tutanota = {
        name = "Tutanota";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type ="list";
          sensitive = false;
          operand = "list";
          list = [
            {
              type = "simple";
              operand = "process.path";
              sensitive = false;
              data = "(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath/tutanota-desktop";
            }
            {
              type = "regexp";
              operand = "dest.host";
              sensitive = false;
              data = "^(|.*\\.)tuta\\.com";
            }
          ];
        };
      };

and

session-desktop = {
        name = "session-desktop";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type ="simple";
          sensitive = false;
          operand = "process.path";
          data = "(appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; }).outPath/session-desktop-bin";
        };
      };

If you want to write nix code in a string, you need to interpolate the nix code with ${}.

"${(appimageTools.extract { inherit (pkgs.tutanota-desktop) pname version src; }).outPath}/tutanota-desktop"

I get this error
error: undefined variable 'appimageTools'

Now you need to prepend pkgs. in front of it because it is in that scope.

I see. It works for tutanota-desktop but it doesn’t for session desktop with both

"${(pkgs.appimageTools.extract { inherit (pkgs.session-desktop) pname version src; }).outPath}

and

"${(pkgs.appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; }).outPath}

I get this

error: builder for '/nix/store/a77ilkjx0jc2h9m7v3v5i2aj5wa4mfyn-session-desktop-1.13.2-extracted.drv' failed to produce output path for output 'out' at '/nix/store/a77ilkjx0jc2h9m7v3v5i2aj5wa4mfyn-session-desktop-1.13.2-extracted.drv.chroot/root/nix/store/fm0lypy87r17q3wir4qr9vrashninpka-session-desktop-1.13.2-extracted'
error: 1 dependencies of derivation '/nix/store/5kgqvb7dnmyg5m61jb5psf0jfzbrnf6r-rule.drv' failed to build
error: 1 dependencies of derivation '/nix/store/z0g40lmnrpm70b30lszvcsq2gjwxp9yk-unit-script-opensnitchd-pre-start.drv' failed to build
error: 1 dependencies of derivation '/nix/store/p29s3jalc0j245b12gx767lq5966yfa1-unit-opensnitchd.service.drv' failed to build
error: 1 dependencies of derivation '/nix/store/ki4gzy41nyhz386jg6a0frx759a1n147-system-units.drv' failed to build
error: 1 dependencies of derivation '/nix/store/rws878zjw66qbf37frhizj4m1ycipd0n-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/zr7mbck6ls34ynfwq2jwa95b12qzilby-nixos-system-nixos-24.11.712512.3f0a8ac25fb6.drv' failed to build

I’m not using OpenSnitch and also learned something new today (thanks @rhendric for the repl introduction) but when I run this in the repl I don’t get any errors so I think that should work fine in your config as well.

"${(pkgs.appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; }).outPath}"

One thing I noticed is that you use .outPath/session-desktop-bin which from my understanding will not work because the binary is located in the subfolder /bin.

Something I like to do (and I would still consider myself a beginner in Nix/NixOS so please anyone correct me if this is not advised) is to use lib.getExe to get the actual binary. To that function you would need to pass the unwrapped derivation itself.

So if you run this in the repl you should get the correct path:

pkgs.lib.getExe (pkgs.appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; })
nix-repl> pkgs.lib.getExe (pkgs.appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; })
evaluation warning: getExe: Package "session-desktop-1.13.2-extracted" does not have the meta.mainProgram attribute. We'll assume that the main program has the same name for now, but this behavior is deprecated, because it leads to surprising errors when the assumption does not hold. If the package has a main program, please set `meta.mainProgram` in its definition to make this warning go away. Otherwise, if the package does not have a main program, or if you don't control its definition, use getExe' to specify the name to the program, such as lib.getExe' foo "bar".
"/nix/store/fm0lypy87r17q3wir4qr9vrashninpka-session-desktop-1.13.2-extracted/bin/session-desktop"

No, the output path is not correct, same result with session-desktop-appimage and session-desktop, it’s the same path as the other command

nix-repl> "${(pkgs.appimageTools.extract { inherit (pkgs.session-desktop-appimage) pname version src; }).outPath}"
"/nix/store/fm0lypy87r17q3wir4qr9vrashninpka-session-desktop-1.13.2-extracted"

The correct path generated by opensnitch is

"data": "/nix/store/s8bx7i3zi5vkklyhgmdrf4r372hfgwsb-session-desktop-1.13.2-extracted/session-desktop-bin"

Ok, now I get your point: you don‘t find the correct derivation to use in your configuration. Sadly this it not something I can help you with.

Yeah, sorry, I’m a noob and don’t know how to describe things properly. Derivation it is.

I tried this with another package built from an extracted Appimage and it works just by changing the package name, but I can’t find the correct derivation for session-desktop as described here, could you help with that?

As said I’m a still new to many things related to nix as well.

I stumbled upon this thread searching for something else but I have no idea if that would help.