firewall module: provide default rules and merge extraRules
a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaultsmain
parent
9263b21faa
commit
1a314e55b7
13
THOUGHTS.txt
13
THOUGHTS.txt
|
|
@ -4321,3 +4321,16 @@ set_link virtio-net-pci.1 on
|
||||||
set_link virtio-net-pci.0 on
|
set_link virtio-net-pci.0 on
|
||||||
|
|
||||||
See if both devices are bridge members
|
See if both devices are bridge members
|
||||||
|
|
||||||
|
Wed Mar 20 19:34:36 GMT 2024
|
||||||
|
|
||||||
|
Because I forgot hoe to rebuild rotuer, I tihnk it is time to improve
|
||||||
|
support for out-of-tree configurations. So I've made
|
||||||
|
modules/profiles/gateway.nix and now I can copy rotuer.nix to
|
||||||
|
telent-nixos-config.
|
||||||
|
|
||||||
|
Probably I should make nix-build work on the top-level derivation
|
||||||
|
and install liminix-rebuild as a binary?
|
||||||
|
|
||||||
|
would be good if an out-of-tree config could specify the device
|
||||||
|
it was targeting?
|
||||||
|
|
|
||||||
|
|
@ -158,7 +158,6 @@ in rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.firewall = svc.firewall.build {
|
services.firewall = svc.firewall.build {
|
||||||
ruleset = import ./demo-firewall.nix;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.packet_forwarding = svc.network.forward.build { };
|
services.packet_forwarding = svc.network.forward.build { };
|
||||||
|
|
|
||||||
|
|
@ -67,9 +67,7 @@ in rec {
|
||||||
};
|
};
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
rules =
|
rules = secrets.firewallRules;
|
||||||
let defaults = import ./demo-firewall.nix;
|
|
||||||
in lib.recursiveUpdate defaults secrets.firewallRules;
|
|
||||||
};
|
};
|
||||||
wireless.networks = {
|
wireless.networks = {
|
||||||
"${secrets.ssid}" = {
|
"${secrets.ssid}" = {
|
||||||
|
|
|
||||||
|
|
@ -56,8 +56,13 @@ in
|
||||||
config = {
|
config = {
|
||||||
system.service.firewall =
|
system.service.firewall =
|
||||||
let svc = liminix.callService ./service.nix {
|
let svc = liminix.callService ./service.nix {
|
||||||
ruleset = mkOption {
|
extraRules = mkOption {
|
||||||
|
type = types.attrsOf types.attrs;
|
||||||
|
description = "firewall ruleset";
|
||||||
|
};
|
||||||
|
rules = mkOption {
|
||||||
type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
|
type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
|
||||||
|
default = import ./default-rules.nix;
|
||||||
description = "firewall ruleset";
|
description = "firewall ruleset";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -4,12 +4,12 @@
|
||||||
, firewallgen
|
, firewallgen
|
||||||
, nftables
|
, nftables
|
||||||
}:
|
}:
|
||||||
{ ruleset }:
|
{ rules, extraRules }:
|
||||||
let
|
let
|
||||||
inherit (liminix.services) oneshot;
|
inherit (liminix.services) oneshot;
|
||||||
inherit (liminix.lib) typeChecked;
|
inherit (liminix.lib) typeChecked;
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
script = firewallgen "firewall.nft" ruleset;
|
script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
|
||||||
in oneshot {
|
in oneshot {
|
||||||
name = "firewall";
|
name = "firewall";
|
||||||
up = script;
|
up = script;
|
||||||
|
|
|
||||||
|
|
@ -151,7 +151,7 @@ in {
|
||||||
|
|
||||||
services.firewall = mkIf cfg.firewall.enable
|
services.firewall = mkIf cfg.firewall.enable
|
||||||
(svc.firewall.build {
|
(svc.firewall.build {
|
||||||
ruleset = cfg.firewall.rules;
|
extraRules = cfg.firewall.rules;
|
||||||
});
|
});
|
||||||
|
|
||||||
services.resolvconf = oneshot rec {
|
services.resolvconf = oneshot rec {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue