firewall -> profile

2024-03-20 18:18:34 +00:00 · 2024-03-20 18:18:34 +00:00 · 269c9cd916
parent 95ebddb661
commit 269c9cd916
2 changed files with 17 additions and 7 deletions
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -65,7 +65,12 @@ in rec {
      password = secrets.l2tp.password;
      dhcp6.enable = true;
    };
-
+    firewall = {
+      enable = true;
+      rules =
+        let defaults = import ./demo-firewall.nix;
+        in lib.recursiveUpdate defaults secrets.firewallRules;
+    };
    wireless.networks = {
      telent = {
        interface = config.hardware.networkInterfaces.wlan;
@ -97,12 +102,6 @@ in rec {

  users.root = secrets.root;

-  services.firewall = svc.firewall.build {
-    ruleset =
-      let defaults = import ./demo-firewall.nix;
-      in lib.recursiveUpdate defaults secrets.firewallRules;
-  };
-
  defaultProfile.packages = with pkgs; [
    min-collect-garbage
    nftables
--- a/modules/profiles/gateway.nix
+++ b/modules/profiles/gateway.nix
@ -44,6 +44,12 @@ in {
        localDomain = mkOption { type = types.str; };
      };
    };
+
+    firewall = {
+      enable = mkEnableOption "firewall";
+      rules = mkOption { type = types.attrsOf types.attrs; };
+    };
+
    wan = {
      interface = mkOption { type = liminix.lib.types.interface; };
      username = mkOption { type = types.str; };
@ -143,6 +149,11 @@ in {
      interface = config.services.wan;
    };

+    services.firewall = mkIf cfg.firewall.enable
+      (svc.firewall.build {
+        ruleset = cfg.firewall.rules;
+      });
+

    services.resolvconf = oneshot rec {
      dependencies = [ config.services.wan ];