Compare commits
3 Commits
9263b21faa
...
83e346d5a0
Author | SHA1 | Date |
---|---|---|
Daniel Barlow | 83e346d5a0 | |
Daniel Barlow | 156b1fe64a | |
Daniel Barlow | 1a314e55b7 |
23
THOUGHTS.txt
23
THOUGHTS.txt
|
@ -4321,3 +4321,26 @@ set_link virtio-net-pci.1 on
|
||||||
set_link virtio-net-pci.0 on
|
set_link virtio-net-pci.0 on
|
||||||
|
|
||||||
See if both devices are bridge members
|
See if both devices are bridge members
|
||||||
|
|
||||||
|
Wed Mar 20 19:34:36 GMT 2024
|
||||||
|
|
||||||
|
Because I forgot hoe to rebuild rotuer, I tihnk it is time to improve
|
||||||
|
support for out-of-tree configurations. So I've made
|
||||||
|
modules/profiles/gateway.nix and now I can copy rotuer.nix to
|
||||||
|
telent-nixos-config.
|
||||||
|
|
||||||
|
Probably I should make nix-build work on the top-level derivation
|
||||||
|
and install liminix-rebuild as a binary?
|
||||||
|
|
||||||
|
would be good if an out-of-tree config could specify the device
|
||||||
|
it was targeting?
|
||||||
|
|
||||||
|
Fri Mar 22 20:49:54 GMT 2024
|
||||||
|
|
||||||
|
Ideally liminix-rebuild could accept a configuration file that
|
||||||
|
specifies a liminix-config file, a target hostname (maybe plus ssh
|
||||||
|
port, credentials etc) and the device name. Not going to work on that
|
||||||
|
just now but it does mean we can punt on specifying the device inside the
|
||||||
|
liminix-config which is unreasonably circular.
|
||||||
|
|
||||||
|
Maybe we'll just chuck a makefile in telent-nixos-config
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
device
|
deviceName ? null
|
||||||
|
, device ? (import ./devices/${deviceName} )
|
||||||
, liminix-config ? <liminix-config>
|
, liminix-config ? <liminix-config>
|
||||||
, nixpkgs ? <nixpkgs>
|
, nixpkgs ? <nixpkgs>
|
||||||
, borderVmConf ? ./bordervm.conf.nix
|
, borderVmConf ? ./bordervm.conf.nix
|
||||||
|
|
|
@ -158,7 +158,6 @@ in rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.firewall = svc.firewall.build {
|
services.firewall = svc.firewall.build {
|
||||||
ruleset = import ./demo-firewall.nix;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.packet_forwarding = svc.network.forward.build { };
|
services.packet_forwarding = svc.network.forward.build { };
|
||||||
|
|
|
@ -67,9 +67,7 @@ in rec {
|
||||||
};
|
};
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
rules =
|
rules = secrets.firewallRules;
|
||||||
let defaults = import ./demo-firewall.nix;
|
|
||||||
in lib.recursiveUpdate defaults secrets.firewallRules;
|
|
||||||
};
|
};
|
||||||
wireless.networks = {
|
wireless.networks = {
|
||||||
"${secrets.ssid}" = {
|
"${secrets.ssid}" = {
|
||||||
|
|
|
@ -56,8 +56,13 @@ in
|
||||||
config = {
|
config = {
|
||||||
system.service.firewall =
|
system.service.firewall =
|
||||||
let svc = liminix.callService ./service.nix {
|
let svc = liminix.callService ./service.nix {
|
||||||
ruleset = mkOption {
|
extraRules = mkOption {
|
||||||
|
type = types.attrsOf types.attrs;
|
||||||
|
description = "firewall ruleset";
|
||||||
|
};
|
||||||
|
rules = mkOption {
|
||||||
type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
|
type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
|
||||||
|
default = import ./default-rules.nix;
|
||||||
description = "firewall ruleset";
|
description = "firewall ruleset";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -4,12 +4,12 @@
|
||||||
, firewallgen
|
, firewallgen
|
||||||
, nftables
|
, nftables
|
||||||
}:
|
}:
|
||||||
{ ruleset }:
|
{ rules, extraRules }:
|
||||||
let
|
let
|
||||||
inherit (liminix.services) oneshot;
|
inherit (liminix.services) oneshot;
|
||||||
inherit (liminix.lib) typeChecked;
|
inherit (liminix.lib) typeChecked;
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
script = firewallgen "firewall.nft" ruleset;
|
script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
|
||||||
in oneshot {
|
in oneshot {
|
||||||
name = "firewall";
|
name = "firewall";
|
||||||
up = script;
|
up = script;
|
||||||
|
|
|
@ -151,7 +151,7 @@ in {
|
||||||
|
|
||||||
services.firewall = mkIf cfg.firewall.enable
|
services.firewall = mkIf cfg.firewall.enable
|
||||||
(svc.firewall.build {
|
(svc.firewall.build {
|
||||||
ruleset = cfg.firewall.rules;
|
extraRules = cfg.firewall.rules;
|
||||||
});
|
});
|
||||||
|
|
||||||
services.resolvconf = oneshot rec {
|
services.resolvconf = oneshot rec {
|
||||||
|
|
Loading…
Reference in New Issue