From 1a314e55b742289010655d4f55d019f6b80299f9 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Thu, 21 Mar 2024 12:00:34 +0000 Subject: [PATCH] firewall module: provide default rules and merge extraRules a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaults --- THOUGHTS.txt | 13 +++++++++++++ examples/demo.nix | 1 - examples/rotuer.nix | 4 +--- .../firewall/default-rules.nix | 0 modules/firewall/default.nix | 7 ++++++- modules/firewall/service.nix | 4 ++-- modules/profiles/gateway.nix | 2 +- 7 files changed, 23 insertions(+), 8 deletions(-) rename examples/demo-firewall.nix => modules/firewall/default-rules.nix (100%) diff --git a/THOUGHTS.txt b/THOUGHTS.txt index dcb127c..2947d9a 100644 --- a/THOUGHTS.txt +++ b/THOUGHTS.txt @@ -4321,3 +4321,16 @@ set_link virtio-net-pci.1 on set_link virtio-net-pci.0 on See if both devices are bridge members + +Wed Mar 20 19:34:36 GMT 2024 + +Because I forgot hoe to rebuild rotuer, I tihnk it is time to improve +support for out-of-tree configurations. So I've made +modules/profiles/gateway.nix and now I can copy rotuer.nix to +telent-nixos-config. + +Probably I should make nix-build work on the top-level derivation +and install liminix-rebuild as a binary? + +would be good if an out-of-tree config could specify the device +it was targeting? diff --git a/examples/demo.nix b/examples/demo.nix index e807c2b..f341eb8 100644 --- a/examples/demo.nix +++ b/examples/demo.nix @@ -158,7 +158,6 @@ in rec { }; services.firewall = svc.firewall.build { - ruleset = import ./demo-firewall.nix; }; services.packet_forwarding = svc.network.forward.build { }; diff --git a/examples/rotuer.nix b/examples/rotuer.nix index 705b888..4d89a53 100644 --- a/examples/rotuer.nix +++ b/examples/rotuer.nix @@ -67,9 +67,7 @@ in rec { }; firewall = { enable = true; - rules = - let defaults = import ./demo-firewall.nix; - in lib.recursiveUpdate defaults secrets.firewallRules; + rules = secrets.firewallRules; }; wireless.networks = { "${secrets.ssid}" = { diff --git a/examples/demo-firewall.nix b/modules/firewall/default-rules.nix similarity index 100% rename from examples/demo-firewall.nix rename to modules/firewall/default-rules.nix diff --git a/modules/firewall/default.nix b/modules/firewall/default.nix index 1aa4769..b1196d6 100644 --- a/modules/firewall/default.nix +++ b/modules/firewall/default.nix @@ -56,8 +56,13 @@ in config = { system.service.firewall = let svc = liminix.callService ./service.nix { - ruleset = mkOption { + extraRules = mkOption { + type = types.attrsOf types.attrs; + description = "firewall ruleset"; + }; + rules = mkOption { type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-) + default = import ./default-rules.nix; description = "firewall ruleset"; }; }; diff --git a/modules/firewall/service.nix b/modules/firewall/service.nix index 225e223..e9178dc 100644 --- a/modules/firewall/service.nix +++ b/modules/firewall/service.nix @@ -4,12 +4,12 @@ , firewallgen , nftables }: -{ ruleset }: +{ rules, extraRules }: let inherit (liminix.services) oneshot; inherit (liminix.lib) typeChecked; inherit (lib) mkOption types; - script = firewallgen "firewall.nft" ruleset; + script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules); in oneshot { name = "firewall"; up = script; diff --git a/modules/profiles/gateway.nix b/modules/profiles/gateway.nix index d97d881..0f1f51e 100644 --- a/modules/profiles/gateway.nix +++ b/modules/profiles/gateway.nix @@ -151,7 +151,7 @@ in { services.firewall = mkIf cfg.firewall.enable (svc.firewall.build { - ruleset = cfg.firewall.rules; + extraRules = cfg.firewall.rules; }); services.resolvconf = oneshot rec {