From git To Nix
Thanks to TheCyberARcher your recent release post on Mastodon made this content possible 😆
How do you take a git repo and turn it into Nix code and have those changes effect a local package? Lets grab a repo I recently discovered called Respect My Internet, port the install.sh to Nix, and test the software is working as expected.
OpenSnitch
First released for MacOS as Little Snitch, this host based firewall uses a simple UI for reporting on any network connections coming from the system, you accept or deny, and apply rules from files or in the UI.
Respect My Internet
Is a collection of rules, regex rules, and DNS blocklists. The install.sh script copies the rules from the repo to the appropriate directories on the system.
Perfect! This is a perfect great candidate for a simple Nix conversion.
mkdir /etc/opensnitchd/blocklist/
mv ./blocklist/respect-my-internet.txt /etc/opensnitchd/blocklist/
mv ./blocklist/ip/ /etc/opensnitchd/
mv ./regex /etc/opensnitchd/
mv ./rules/* /etc/opensnitchd/rules/
pkgs.opensnitch.overrideAttrs (oldAttrs: {
postInstall = ''
mkdir -p $out/etc/opensnitchd/rules/
mkdir -p $out/etc/opensnitchd/blocklist
cp -r ${repo}/blocklist/respect-my-internet.txt $out/etc/opensnitchd/blocklist/
cp -r ${repo}/blocklist/ip/ $out/etc/opensnitchd/
cp -r ${repo}/regex $out/etc/opensnitchd/
cp -r ${repo}/rules/*.json $out/etc/opensnitchd/rules/
'';
Modifying OpenSnitch
Since NixOS filesystem is primarily r/o to prevent system alteration outside of what's defined in your Nix code manually adding these files wont work. We want to accomplish this by modifying the OpenSnitch package as it's being installed and updated.
{ pkgs ? import <nixpkgs> { } }: Whaaaaatdufug is this sorcery?
{ pkgs ? import <nixpkgs> {} }: & pkgs.opensnitch.overrideAttrs {...}
It's actually a function that takes pkgs as an argument. So when you import this module you will need to either pass an argument of pkgs or use the callPackage function.
(import ./rmi-opensnitch.nix { pkgs = pkgs; })
pkgs.callPackage ./rmi-opensnitch.nix {}
This is all fine and good but the package needs to compiled with these changes on every system change. A better way will be to modify the already built package with a system overlay.