From 269c9cd91623fa982be5d77e56ef7f348600bee1 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Wed, 20 Mar 2024 18:18:34 +0000
Subject: [PATCH] firewall -> profile

---
 examples/rotuer.nix          | 13 ++++++-------
 modules/profiles/gateway.nix | 11 +++++++++++
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/examples/rotuer.nix b/examples/rotuer.nix
index 9593495..a4e9ce2 100644
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@@ -65,7 +65,12 @@ in rec {
       password = secrets.l2tp.password;
       dhcp6.enable = true;
     };
-
+    firewall = {
+      enable = true;
+      rules =
+        let defaults = import ./demo-firewall.nix;
+        in lib.recursiveUpdate defaults secrets.firewallRules;
+    };
     wireless.networks = {
       telent = {
         interface = config.hardware.networkInterfaces.wlan;
@@ -97,12 +102,6 @@ in rec {
 
   users.root = secrets.root;
 
-  services.firewall = svc.firewall.build {
-    ruleset =
-      let defaults = import ./demo-firewall.nix;
-      in lib.recursiveUpdate defaults secrets.firewallRules;
-  };
-
   defaultProfile.packages = with pkgs; [
     min-collect-garbage
     nftables
diff --git a/modules/profiles/gateway.nix b/modules/profiles/gateway.nix
index e34d5f9..d4e25be 100644
--- a/modules/profiles/gateway.nix
+++ b/modules/profiles/gateway.nix
@@ -44,6 +44,12 @@ in {
         localDomain = mkOption { type = types.str; };
       };
     };
+
+    firewall = {
+      enable = mkEnableOption "firewall";
+      rules = mkOption { type = types.attrsOf types.attrs; };
+    };
+
     wan = {
       interface = mkOption { type = liminix.lib.types.interface; };
       username = mkOption { type = types.str; };
@@ -143,6 +149,11 @@ in {
       interface = config.services.wan;
     };
 
+    services.firewall = mkIf cfg.firewall.enable
+      (svc.firewall.build {
+        ruleset = cfg.firewall.rules;
+      });
+
 
     services.resolvconf = oneshot rec {
       dependencies = [ config.services.wan ];