From 90c1d59aca5724ac74cfb2f62ce171cde26fc93d Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Sat, 5 Aug 2023 12:07:35 +0100 Subject: [PATCH] convert firewall service to new serviceDefn this is a bit kludgey with dependencies, need to come back and look at that --- examples/rotuer.nix | 2 +- modules/firewall/default.nix | 18 ++++++++++++++---- modules/firewall/service.nix | 11 +---------- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/examples/rotuer.nix b/examples/rotuer.nix index 10b549b..716663b 100644 --- a/examples/rotuer.nix +++ b/examples/rotuer.nix @@ -168,7 +168,7 @@ in rec { dependencies = [ services.wan ]; }; - services.firewall = svc.firewall { + services.firewall = svc.firewall.build { ruleset = import ./rotuer-firewall.nix; }; diff --git a/modules/firewall/default.nix b/modules/firewall/default.nix index af84a5d..288a69c 100644 --- a/modules/firewall/default.nix +++ b/modules/firewall/default.nix @@ -1,6 +1,7 @@ { lib, pkgs, config, ...}: let inherit (lib) mkOption types; + inherit (pkgs) liminix; inherit (pkgs.liminix.services) oneshot; kconf = isModule : @@ -36,13 +37,22 @@ in { options = { system.service.firewall = mkOption { - type = types.anything; # types.functionTo pkgs.liminix.lib.types.service; + type = liminix.lib.types.serviceDefn; }; }; config = { - system.service.firewall = params : - let svc = (pkgs.callPackage ./service.nix {}) params; - in svc // { dependencies = svc.dependencies ++ [loadModules]; }; + system.service.firewall = + let svc = liminix.callService ./service.nix { + ruleset = mkOption { + type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-) + description = "firewall ruleset"; + }; + }; + in svc // { + build = args : (svc.build args) // { + dependencies = [ loadModules ] ++ (svc.dependencies or []); + }; + }; # For historical reasons the kernel config is split between # monolithic options and modules. TODO: go through this list diff --git a/modules/firewall/service.nix b/modules/firewall/service.nix index 9720816..225e223 100644 --- a/modules/firewall/service.nix +++ b/modules/firewall/service.nix @@ -4,20 +4,11 @@ , firewallgen , nftables }: +{ ruleset }: let inherit (liminix.services) oneshot; inherit (liminix.lib) typeChecked; inherit (lib) mkOption types; - t = { - ruleset = mkOption { - type = types.anything; # we could usefully define this more tightly - description = "firewall ruleset"; - }; - }; -in -params: -let - inherit (typeChecked "firewall" t params) ruleset; script = firewallgen "firewall.nft" ruleset; in oneshot { name = "firewall";