forked from DGNum/liminix
convert firewall service to new serviceDefn
this is a bit kludgey with dependencies, need to come back and look at that
This commit is contained in:
Daniel Barlow
parent
fbb2c04132
commit
90c1d59aca
3 changed files with 16 additions and 15 deletions
|
|
@ -168,7 +168,7 @@ in rec {
|
||||||
dependencies = [ services.wan ];
|
dependencies = [ services.wan ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.firewall = svc.firewall {
|
services.firewall = svc.firewall.build {
|
||||||
ruleset = import ./rotuer-firewall.nix;
|
ruleset = import ./rotuer-firewall.nix;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
{ lib, pkgs, config, ...}:
|
{ lib, pkgs, config, ...}:
|
||||||
let
|
let
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
|
inherit (pkgs) liminix;
|
||||||
inherit (pkgs.liminix.services) oneshot;
|
inherit (pkgs.liminix.services) oneshot;
|
||||||
|
|
||||||
kconf = isModule :
|
kconf = isModule :
|
||||||
|
|
@ -36,13 +37,22 @@ in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
system.service.firewall = mkOption {
|
system.service.firewall = mkOption {
|
||||||
type = types.anything; # types.functionTo pkgs.liminix.lib.types.service;
|
type = liminix.lib.types.serviceDefn;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
system.service.firewall = params :
|
system.service.firewall =
|
||||||
let svc = (pkgs.callPackage ./service.nix {}) params;
|
let svc = liminix.callService ./service.nix {
|
||||||
in svc // { dependencies = svc.dependencies ++ [loadModules]; };
|
ruleset = mkOption {
|
||||||
|
type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
|
||||||
|
description = "firewall ruleset";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in svc // {
|
||||||
|
build = args : (svc.build args) // {
|
||||||
|
dependencies = [ loadModules ] ++ (svc.dependencies or []);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# For historical reasons the kernel config is split between
|
# For historical reasons the kernel config is split between
|
||||||
# monolithic options and modules. TODO: go through this list
|
# monolithic options and modules. TODO: go through this list
|
||||||
|
|
|
||||||
|
|
@ -4,20 +4,11 @@
|
||||||
, firewallgen
|
, firewallgen
|
||||||
, nftables
|
, nftables
|
||||||
}:
|
}:
|
||||||
|
{ ruleset }:
|
||||||
let
|
let
|
||||||
inherit (liminix.services) oneshot;
|
inherit (liminix.services) oneshot;
|
||||||
inherit (liminix.lib) typeChecked;
|
inherit (liminix.lib) typeChecked;
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
t = {
|
|
||||||
ruleset = mkOption {
|
|
||||||
type = types.anything; # we could usefully define this more tightly
|
|
||||||
description = "firewall ruleset";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
params:
|
|
||||||
let
|
|
||||||
inherit (typeChecked "firewall" t params) ruleset;
|
|
||||||
script = firewallgen "firewall.nft" ruleset;
|
script = firewallgen "firewall.nft" ruleset;
|
||||||
in oneshot {
|
in oneshot {
|
||||||
name = "firewall";
|
name = "firewall";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue