#!/bin/bash

set -e

sudo apt update
sudo apt install opensnitch
RULE_PATH="/etc/opensnitchd/rules"
sudo mkdir -p "$RULE_PATH"

sudo tee "$RULE_PATH/000-allow-system-cmds.json" > /dev/null <<'EOF'
{
  "created": "2021-04-26T09:58:03.704090244+02:00",
  "updated": "2021-04-26T09:58:03.704216578+02:00",
  "name": "000-allow-system-cmds",
  "enabled": true,
  "precedence": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "regexp",
    "operand": "process.path",
    "sensitive": false,
    "data": "^(/usr/bin/host|/usr/bin/xbrlapi|/usr/bin/dirmngr|/usr/bin/slim)",
    "list": []
  }
}
EOF

sudo tee "$RULE_PATH/000-allow-localhost.json" > /dev/null <<'EOF'
{
  "created": "2021-04-26T09:58:03.704090244+02:00",
  "updated": "2021-04-26T09:58:03.704216578+02:00",
  "name": "000-allow-localhost",
  "enabled": true,
  "precedence": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "network",
    "operand": "dest.network",
    "sensitive": false,
    "data": "127.0.0.0/8",
    "list": []
  }
}
EOF

sudo systemctl enable --now opensnitch