nixos/opensnitch: link network_aliases.json to /etc/opensnitchd (#525887)

2026-06-05 21:03:40 +00:00 · 2026-06-03 16:04:55 +00:00
parent 7c2c92f104 1859b4a89b
commit 556c4bdf22
2 changed files with 18 additions and 4 deletions
--- a/nixos/modules/services/security/opensnitch.nix
+++ b/nixos/modules/services/security/opensnitch.nix
@@ -207,6 +207,7 @@ in
      };
      tmpfiles.rules = [
        "d ${cfg.settings.Rules.Path} 0750 root root - -"
+        "L+ /etc/opensnitchd/network_aliases.json - - - - ${cfg.package}/etc/opensnitchd/network_aliases.json"
        "L+ /etc/opensnitchd/system-fw.json - - - - ${cfg.package}/etc/opensnitchd/system-fw.json"
      ];
    };
--- a/nixos/tests/opensnitch.nix
+++ b/nixos/tests/opensnitch.nix
@@ -54,10 +54,23 @@ in
              action = "allow";
              duration = "always";
              operator = {
-                type = "simple";
-                sensitive = false;
-                operand = "process.path";
-                data = "${pkgs.curl}/bin/curl";
+                type = "list";
+                operand = "list";
+                list = [
+                  {
+                    type = "simple";
+                    sensitive = false;
+                    operand = "process.path";
+                    data = "${pkgs.curl}/bin/curl";
+                  }
+                  # Check that network aliases like "LAN" are properly resolved.
+                  {
+                    type = "network";
+                    sensitive = false;
+                    operand = "dest.network";
+                    data = "LAN";
+                  }
+                ];
              };
            };
          };