firewall module: provide default rules and merge extraRules

a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaults
2024-03-21 12:00:34 +00:00 · 2024-03-21 12:00:34 +00:00 · 1a314e55b7
commit 1a314e55b7
parent 9263b21faa
7 changed files with 23 additions and 8 deletions
--- a/THOUGHTS.txt
+++ b/THOUGHTS.txt
@ -4321,3 +4321,16 @@ set_link virtio-net-pci.1 on
 set_link virtio-net-pci.0 on

 See if both devices are bridge members
+
+Wed Mar 20 19:34:36 GMT 2024
+
+Because I forgot hoe to rebuild rotuer, I tihnk it is time to improve
+support for out-of-tree configurations. So I've made
+modules/profiles/gateway.nix and now I can copy rotuer.nix to
+telent-nixos-config.
+
+Probably I should make nix-build work on the top-level derivation
+and install liminix-rebuild as a binary?
+
+would be good if an out-of-tree config could specify the device
+it was targeting?
--- a/examples/demo.nix
+++ b/examples/demo.nix
@ -158,7 +158,6 @@ in rec {
  };

  services.firewall = svc.firewall.build {
-    ruleset = import ./demo-firewall.nix;
  };

  services.packet_forwarding = svc.network.forward.build { };
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -67,9 +67,7 @@ in rec {
    };
    firewall = {
      enable = true;
-      rules =
-        let defaults = import ./demo-firewall.nix;
-        in lib.recursiveUpdate defaults secrets.firewallRules;
+      rules = secrets.firewallRules;
    };
    wireless.networks = {
      "${secrets.ssid}" = {
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
--- a/modules/firewall/default.nix
+++ b/modules/firewall/default.nix
@ -56,8 +56,13 @@ in
  config = {
    system.service.firewall =
      let svc = liminix.callService ./service.nix  {
-            ruleset = mkOption {
+            extraRules = mkOption {
+              type = types.attrsOf types.attrs;
+              description = "firewall ruleset";
+            };
+            rules = mkOption {
              type = types.attrsOf types.attrs;   # we could usefully tighten this a bit :-)
+              default = import ./default-rules.nix;
              description = "firewall ruleset";
            };
          };
--- a/modules/firewall/service.nix
+++ b/modules/firewall/service.nix
@ -4,12 +4,12 @@
 , firewallgen
 , nftables
 }:
-{ ruleset }:
+{ rules, extraRules }:
 let
  inherit (liminix.services) oneshot;
  inherit (liminix.lib) typeChecked;
  inherit (lib) mkOption types;
-  script = firewallgen "firewall.nft" ruleset;
+  script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
 in oneshot {
  name = "firewall";
  up = script;
--- a/modules/profiles/gateway.nix
+++ b/modules/profiles/gateway.nix
@ -151,7 +151,7 @@ in {

    services.firewall = mkIf cfg.firewall.enable
      (svc.firewall.build {
-        ruleset = cfg.firewall.rules;
+        extraRules = cfg.firewall.rules;
      });

    services.resolvconf = oneshot rec {