2023-07-16 15:55:50 +00:00
|
|
|
{
|
|
|
|
|
liminix
|
|
|
|
|
, lib
|
|
|
|
|
, firewallgen
|
|
|
|
|
, nftables
|
|
|
|
|
}:
|
2025-02-06 11:57:06 +00:00
|
|
|
{ rules, extraRules, zones }:
|
2023-07-16 15:55:50 +00:00
|
|
|
let
|
2025-02-06 11:57:06 +00:00
|
|
|
inherit (liminix.services) longrun ; # oneshot;
|
|
|
|
|
inherit (lib.attrsets) mapAttrs' nameValuePair;
|
|
|
|
|
mkSet = family : name :
|
|
|
|
|
nameValuePair
|
|
|
|
|
"${name}-set-${family}"
|
|
|
|
|
{
|
|
|
|
|
kind = "set";
|
|
|
|
|
inherit name family;
|
|
|
|
|
type = "ifname";
|
|
|
|
|
};
|
|
|
|
|
sets = (mapAttrs' (n : _ : mkSet "ip" n) zones) //
|
|
|
|
|
(mapAttrs' (n : _ : mkSet "ip6" n) zones);
|
|
|
|
|
allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
|
|
|
|
|
script = firewallgen "firewall1.nft" allRules;
|
|
|
|
|
|
|
|
|
|
in longrun {
|
2023-07-16 15:55:50 +00:00
|
|
|
name = "firewall";
|
2025-02-06 11:57:06 +00:00
|
|
|
run = ''
|
|
|
|
|
${script}
|
|
|
|
|
while : ; do sleep 86400 ; done
|
|
|
|
|
'';
|
|
|
|
|
finish = "${nftables}/bin/nft flush ruleset";
|
2023-07-16 15:55:50 +00:00
|
|
|
}
|
