Since a few days, the Linux application firewall OpenSnitch is available in the unstable channel of NixOS. It already works great but there is no easy way to deploy it yet. Here’s a short tutorial on how to setup it manually.

An application requesting network access through OpenSnitch

First of all, make sure you use and import the unstable channel in your configuration

{ config, pkgs, lib, … }:
 let
 unstable = import <nixos-unstable> {};
 in
 {
[...]

You’ll also have to add and update the channel

nix-channel --add https://nixos.org/channels/nixos-unstable nixos-unstable
nix-channel --update

Add the required packages to the systemPackages config

[...]
  environment = {
    systemPackages = with pkgs; [
      unstable.opensnitch
      unstable.opensnitch-ui
[...]

We’ll have to run the background daemon opensnitchd startup as a Systemd service

systemd = {
  services = {
    opensnitch = {
      description = "Opensnitch Application Firewall Daemon";
      wants = ["network.target"]; 
      after = ["network.target"]; 
      wantedBy = ["multi-user.target"];
      path = [ pkgs.iptables ];
      serviceConfig = {
        Type = "simple";
        PermissionsStartOnly = true;
        ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /etc/opensnitch/rules"; 
        ExecStart = "${unstable.opensnitch}/bin/opensnitchd -rules-path /etc/opensnitch/rules"; 
        Restart = "always";
        RestartSec = 30;
      };
      enable = true;
    };
  };
};

You can change the path to the rules-directory according to your needs.

In the next step we’ll want to autostart opensnitch-ui which is the graphical userland application asking for permissions. In my case I’m using the sway window manager and it’s possible to configure the applications which will run at start

wayland.windowManager.sway = {
  enable = true;
  config = {
    [...]
    startup = [
      { command = "opensnitch-ui"; }
    ];
    floating.criteria = [
      { "title" = "^OpenSnitch v.*"; }
    ]
[...]

The floating criteria configuration is necessary to display the popup windows of opensnitch-ui correctly.

That’s it :) After a reboot, you should see OpenSnitch start asking for permissions!