liminix/modules/firewall/service.nix

{
  liminix,
  lib,
  firewallgen,
  nftables,
  writeFennel,
  anoia,
  lualinux,
  linotify,
}:
{
  rules,
  extraRules,
  zones,
}:
let
  inherit (liminix.services) longrun;
  inherit (lib.attrsets) mapAttrs' nameValuePair mapAttrsToList;
  inherit (lib.strings) concatStringsSep;
  inherit (lib.lists) flatten;
  mkSet =
    family: name:
    nameValuePair "${name}-set-${family}" {
      kind = "set";
      inherit name family;
      type = "ifname";
    };
  sets = (mapAttrs' (n: _: mkSet "ip" n) zones) // (mapAttrs' (n: _: mkSet "ip6" n) zones);
  allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
  script = firewallgen "firewall1.nft" allRules;
  ifwatch = writeFennel "ifwatch" {
    packages = [
      anoia
      lualinux
      linotify
    ];
    mainFunction = "run";
  } ./ifwatch.fnl;
  watchArg = z: intfs: map (i: "${z}:${i}/.outputs") intfs;
in
longrun {
  name = "firewall";
  run = ''
    ${script}
    PATH=${nftables}/bin:$PATH
    ${ifwatch} ${concatStringsSep " " (flatten (mapAttrsToList watchArg zones))}
  '';
  finish = "${nftables}/bin/nft flush ruleset";
}
turn nftables firewall into a service-providing module 2023-07-16 15:55:50 +00:00			`{`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`liminix,`
			`lib,`
			`firewallgen,`
			`nftables,`
			`writeFennel,`
			`anoia,`
			`lualinux,`
			`linotify,`
			`}:`
			`{`
			`rules,`
			`extraRules,`
			`zones,`
turn nftables firewall into a service-providing module 2023-07-16 15:55:50 +00:00			`}:`
			`let`
firewall: update zones with interface names as they appear 2025-02-10 00:42:27 +00:00			`inherit (liminix.services) longrun;`
			`inherit (lib.attrsets) mapAttrs' nameValuePair mapAttrsToList;`
			`inherit (lib.strings) concatStringsSep;`
			`inherit (lib.lists) flatten;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`mkSet =`
			`family: name:`
			`nameValuePair "${name}-set-${family}" {`
			`kind = "set";`
			`inherit name family;`
			`type = "ifname";`
			`};`
			`sets = (mapAttrs' (n: _: mkSet "ip" n) zones) // (mapAttrs' (n: _: mkSet "ip6" n) zones);`
WIP add zones to firewall module - zones are an attrset of name -> [interface-service] - the firewall will create empty "ifname" sets for each zone name in each address family (ip, ip6) - then watch the interface services, and add the "ifname" outputs to the corresponding sets when they appear This commit only adds the empty sets 2025-02-06 11:57:06 +00:00			`allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);`
			`script = firewallgen "firewall1.nft" allRules;`
firewall: update zones with interface names as they appear 2025-02-10 00:42:27 +00:00			`ifwatch = writeFennel "ifwatch" {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`packages = [`
			`anoia`
			`lualinux`
			`linotify`
			`];`
firewall: update zones with interface names as they appear 2025-02-10 00:42:27 +00:00			`mainFunction = "run";`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`} ./ifwatch.fnl;`
			`watchArg = z: intfs: map (i: "${z}:${i}/.outputs") intfs;`
			`in`
			`longrun {`
turn nftables firewall into a service-providing module 2023-07-16 15:55:50 +00:00			`name = "firewall";`
WIP add zones to firewall module - zones are an attrset of name -> [interface-service] - the firewall will create empty "ifname" sets for each zone name in each address family (ip, ip6) - then watch the interface services, and add the "ifname" outputs to the corresponding sets when they appear This commit only adds the empty sets 2025-02-06 11:57:06 +00:00			`run = ''`
			`${script}`
firewall: update zones with interface names as they appear 2025-02-10 00:42:27 +00:00			`PATH=${nftables}/bin:$PATH`
			`${ifwatch} ${concatStringsSep " " (flatten (mapAttrsToList watchArg zones))}`
WIP add zones to firewall module - zones are an attrset of name -> [interface-service] - the firewall will create empty "ifname" sets for each zone name in each address family (ip, ip6) - then watch the interface services, and add the "ifname" outputs to the corresponding sets when they appear This commit only adds the empty sets 2025-02-06 11:57:06 +00:00			`'';`
			`finish = "${nftables}/bin/nft flush ruleset";`
turn nftables firewall into a service-providing module 2023-07-16 15:55:50 +00:00			`}`