I have opensnitch installed globally for all users using services.opensnitch.enable = true;. Then, I enable opensnitch-ui for all users using the Home Manager.
# File: /etc/nixos/configuration.nix
{ config, pkgs, lib, ... }:
let
my_services = {
opensnitch-ui.enable = true;
}
in
And
home-manager.users.userA = { pkgs, ... }: {
services = lib.recursiveUpdate my_services {
# ... some customizations for the user ...
};
}
I have the exact same syntax for users A, B, C. OpenSnitch gets started when opensnitch-ui starts, and it consistently only starts for user A. For users B and C it doesn’t, and all network traffic goes unchecked.
I have tried setting the services directly as well, same result:
home-manager.users.userC = { pkgs, ... }: {
services = {
opensnitch-ui.enable = true;
};
}
What can I do to troubleshoot this?
Going through the Home Manager, OpenSnitch UI was not available for those other users; not sure why. I added a custom service since I wanted it available to all users anyway.
environment.systemPackages = with pkgs; [
opensnitch-ui
];
systemd.user.services.opensnitch-ui = {
description = "OpenSnitch UI";
enable = true;
path = [ pkgs.opensnitch-ui ];
script = "opensnitch-ui";
after = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
stopIfChanged = true;
restartIfChanged = true;
};
With that, OpenSnitch UI was made available and I was able to troubleshoot this further.
$ opensnitch-ui
WARNING:root:qt_material must be imported after PySide or PyQt!
Loaded network aliases from /nix/store/r9xi01z2nndpgdb5a8lqslwlsp8if6l9-opensnitch-ui-1.7.2/lib/python3.13/site-packages/opensnitch/utils/network_aliases/network_aliases.json
~ OpenSnitch GUI - 1.7.2 ~
protobuf: 6.33.1 - grpc: 1.76.0
--------------------------------------------------
QT_AUTO_SCREEN_SCALE_FACTOR: True
gRPC Max Message Length: None
Bytes: 4194304
is new file, or IN MEMORY, setting initial schema version
setting schema version to: 3
setting schema version to: 3
Setting journal_mode: OFF
Setting DB memory optimizations
schema version: 3
db schema is up to date
actions.__init__ exception: [Errno 17] File exists: '/home/userC/.config//opensnitch/actions/'
actions.__init__ exception: [Errno 17] File exists: '/home/userC/.config//opensnitch/actions/'
Loading translations: /nix/store/r9xi01z2nndpgdb5a8lqslwlsp8if6l9-opensnitch-ui-1.7.2/lib/python3.13/site-packages/opensnitch/utils/../i18n locale: en_US
using IPASN DB: /nix/store/nr1xrj0b1aqkjvrpf0g3ivj99zvh121l-python3.13-pyasn-1.6.2/lib/python3.13/site-packages/pyasn/data/ipasn_20140513_v12.dat.gz
actions.__init__ exception: [Errno 17] File exists: '/home/userC/.config//opensnitch/actions/'
Using server address: unix:///tmp/osui.sock auth type: simple
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
E0000 00:00:1770513972.175915 6135 add_port.cc:83] Failed to add port to server: No address added out of total 1 resolved for 'unix:///tmp/osui.sock'
Failed to bind to address unix:///tmp/osui.sock; set GRPC_VERBOSITY=debug environment variable to see detailed error message.
QSqlDatabasePrivate::removeDatabase: connection 'db' is still in use, all queries will cease to work.
There seems to currently exist a limitation in OpenSnitch, it does not support running it for multiple users: [Bug Report] OpenSnitch GUI can be used only by one user at a time · Issue #1341 · evilsocket/opensnitch · GitHub
Even though what seems to have happened in my case is that the first time that the socket was created it was created by userA and now other users do not have permissions to use it - thus the failure even when no other user is using it.
I think next steps will be:
- For now, add the OpenSnitch rules to
configuration.nix .
- Change the socket’s permissions, maybe at least all users will be able to use it - as long as nobody else is or until the issue is fixed.