liminix/modules/firewall/service.nix

{
  liminix
, lib
, firewallgen
, nftables
}:
{ rules, extraRules }:
let
  inherit (liminix.services) oneshot;
  inherit (liminix.lib) typeChecked;
  inherit (lib) mkOption types;
  script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
in oneshot {
  name = "firewall";
  up = script;
  down = "${nftables}/bin/nft flush ruleset";
}
turn nftables firewall into a service-providing module 2023-07-16 17:55:50 +02:00			`{`
			`liminix`
			`, lib`
			`, firewallgen`
			`, nftables`
			`}:`
firewall module: provide default rules and merge extraRules a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaults 2024-03-21 13:00:34 +01:00			`{ rules, extraRules }:`
turn nftables firewall into a service-providing module 2023-07-16 17:55:50 +02:00			`let`
			`inherit (liminix.services) oneshot;`
			`inherit (liminix.lib) typeChecked;`
			`inherit (lib) mkOption types;`
firewall module: provide default rules and merge extraRules a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaults 2024-03-21 13:00:34 +01:00			`script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);`
turn nftables firewall into a service-providing module 2023-07-16 17:55:50 +02:00			`in oneshot {`
			`name = "firewall";`
			`up = script;`
			`down = "${nftables}/bin/nft flush ruleset";`
			`}`