add deviceName param

a firewall with no configuration will get a relatively sane ruleset. a
firewall with `extraRules` will get them deep merged into the default
rules.  Specifying `rules` will override the defaults

THOUGHTS.txt

@@ -4321,3 +4321,26 @@ set_link virtio-net-pci.1 on
 set_link virtio-net-pci.0 on
 
 See if both devices are bridge members
+
+Wed Mar 20 19:34:36 GMT 2024
+
+Because I forgot hoe to rebuild rotuer, I tihnk it is time to improve
+support for out-of-tree configurations. So I've made
+modules/profiles/gateway.nix and now I can copy rotuer.nix to
+telent-nixos-config.
+
+Probably I should make nix-build work on the top-level derivation
+and install liminix-rebuild as a binary?
+
+would be good if an out-of-tree config could specify the device
+it was targeting?
+
+Fri Mar 22 20:49:54 GMT 2024
+
+Ideally liminix-rebuild could accept a configuration file that
+specifies a liminix-config file, a target hostname (maybe plus ssh
+port, credentials etc) and the device name. Not going to work on that
+just now but it does mean we can punt on specifying the device inside the
+liminix-config which is unreasonably circular.
+
+Maybe we'll just chuck a makefile in telent-nixos-config

default.nix

@@ -1,5 +1,6 @@
 {
-  device
+  deviceName ? null
+, device ? (import ./devices/${deviceName} )
 , liminix-config ? <liminix-config>
 , nixpkgs ? <nixpkgs>
 , borderVmConf ? ./bordervm.conf.nix

examples/demo.nix

@@ -158,7 +158,6 @@ in rec {
   };
 
   services.firewall = svc.firewall.build {
-    ruleset = import ./demo-firewall.nix;
   };
 
   services.packet_forwarding = svc.network.forward.build { };

examples/rotuer.nix

@@ -67,9 +67,7 @@ in rec {
     };
     firewall = {
       enable = true;
-      rules =
-        let defaults = import ./demo-firewall.nix;
-        in lib.recursiveUpdate defaults secrets.firewallRules;
+      rules = secrets.firewallRules;
     };
     wireless.networks = {
       "${secrets.ssid}" = {

modules/firewall/default.nix

@@ -56,8 +56,13 @@ in
   config = {
     system.service.firewall =
       let svc = liminix.callService ./service.nix  {
-            ruleset = mkOption {
+            extraRules = mkOption {
+              type = types.attrsOf types.attrs;
+              description = "firewall ruleset";
+            };
+            rules = mkOption {
               type = types.attrsOf types.attrs;   # we could usefully tighten this a bit :-)
+              default = import ./default-rules.nix;
               description = "firewall ruleset";
             };
           };

modules/firewall/service.nix

@@ -4,12 +4,12 @@
 , firewallgen
 , nftables
 }:
-{ ruleset }:
+{ rules, extraRules }:
 let
   inherit (liminix.services) oneshot;
   inherit (liminix.lib) typeChecked;
   inherit (lib) mkOption types;
-  script = firewallgen "firewall.nft" ruleset;
+  script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
 in oneshot {
   name = "firewall";
   up = script;

modules/profiles/gateway.nix

@@ -151,7 +151,7 @@ in {
 
     services.firewall = mkIf cfg.firewall.enable
       (svc.firewall.build {
-        ruleset = cfg.firewall.rules;
+        extraRules = cfg.firewall.rules;
       });
 
     services.resolvconf = oneshot rec {