OpenSnitch rules defined in opensnitch.nix do not work correctly

I am trying to setup the OpenSnitch (application firewall) on my NixOS machine. I am running NixOS unstable using a flake based setup.

I have OpenSnitch installed and setup in my opensnitch.nix config file and it works and I can manually save rules using the GUI when applications try to access the network. However all the rules get reset when I upgrade my system because the rules use the application path in the nix store which changes on upgrade.

So I have just spent several hours defining rules in my opensnitch.nix file using services.opensnitch.rules as in there you can use ${lib.getBin pkgs.PKG_NAME} to dynamically get the nix path in the store for a given executable and it will auto update on system upgrade.

The rules created manually with the GUI live in the /var/lib/opensnitch/rules directory as a .json file per rule. Each rule defined in opensnitch.nix is added as a symlink in this directory pointing to the relevant nix store path. The nix defined rules show up in the GUI but they do not work, as I still get asked manually for approval for connections that the rule allows.

I have compared the .json file of the same rule created with the GUI against the version of the same rule I have defined in opensnitch.nix and they have the same content but the nix defined one is not nicely formatted json. I have tried everything I can think of so I am coming here to look for some help to figure this out!

Does anyone have experience with writing opensnitch rules or tips for next steps to figure this out?

1 Like