add service to enable packet forwarding

might be worth looking into adding RA config to this

examples/arhcive.nix

@@ -28,6 +28,7 @@ in rec {
     ../modules/wlan.nix
     ../modules/network
     ../modules/vlan
+    ../modules/ssh
   ];
 
   hostname = "arhcive";

examples/extneder.nix

@@ -29,6 +29,7 @@ in rec {
     ../modules/network
     ../modules/hostapd
     ../modules/bridge
+    ../modules/ssh
     ../modules/standard.nix
   ];
 
@@ -42,7 +43,9 @@ in rec {
       IP6_NF_IPTABLES = "y"; # do we still need these
       IP_NF_IPTABLES = "y"; # if using nftables directly
 
-      # these are copied from rotuer and need review
+      # these are copied from rotuer and need review.
+      # we're not running a firewall, so why do we need
+      # nftables config?
       IP_NF_NAT = "y";
       IP_NF_TARGET_MASQUERADE = "y";
       NETFILTER = "y";
@@ -100,13 +103,7 @@ in rec {
     ];
   };
 
-  services.sshd = longrun {
-    name = "sshd";
-    run = ''
-      mkdir -p /run/dropbear
-      ${dropbear}/bin/dropbear -E -P /run/dropbear.pid -R -F
-    '';
-  };
+  services.sshd = svc.ssh.build {};
 
   services.resolvconf = oneshot rec {
     dependencies = [ services.dhcpc ];

examples/rotuer.nix

@@ -156,22 +156,7 @@ in rec {
     ruleset = import ./rotuer-firewall.nix;
   };
 
-  services.packet_forwarding =
-    let
-      ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
-      ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
-    in oneshot {
-      name = "let-the-ip-flow";
-      up = ''
-        echo 1 > ${ip4}
-        echo 1 > ${ip6}
-      '';
-      down = ''
-        echo 0 > ${ip4};
-        echo 0 > ${ip6};
-      '';
-      dependencies = [ services.firewall ];
-    };
+  services.packet_forwarding = svc.network.forward.build { };
 
   services.dhcp6 =
     let

modules/network/default.nix

@@ -24,6 +24,9 @@ in {
       route = mkOption {
         type = liminix.lib.types.serviceDefn;
       };
+      forward = mkOption {
+        type = liminix.lib.types.serviceDefn;
+      };
       dhcp = {
         client = mkOption {
           # this needs to move to its own service as it has
@@ -108,6 +111,17 @@ in {
         };
       };
 
+      forward = liminix.callService ./forward.nix {
+        enableIPv4 = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enableIPv6 = mkOption {
+          type = types.bool;
+          default = true;
+        };
+      };
+
       dhcp.client = liminix.callService ./dhcpc.nix {
         interface = mkOption {
           type = liminix.lib.types.service;

modules/network/forward.nix

@@ -0,0 +1,21 @@
+{
+  liminix
+, ifwait
+, serviceFns
+, lib
+}:
+{ enableIPv4, enableIPv6 }:
+let
+  inherit (liminix.services) oneshot;
+  ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
+  ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
+  opt = lib.optionalString;
+  sysctls = b :
+    ""
+    + opt enableIPv4 "echo ${b} > ${ip4}\n"
+    + opt enableIPv6 "echo ${b} > ${ip6}\n";
+in oneshot {
+  name = "forwarding${opt enableIPv4 "4"}${opt enableIPv6 "6"}";
+  up = sysctls "1";
+  down = sysctls "0";
+}

vanilla-configuration.nix

@@ -22,16 +22,7 @@ in rec {
     dependencies = [ services.dhcpv4 ];
   };
 
-  services.packet_forwarding =
-    let
-      iface = services.dhcpv4;
-      filename = "/proc/sys/net/ipv4/conf/$(output ${iface} ifname)/forwarding";
-    in oneshot {
-      name = "let-the-ip-flow";
-      up = "echo 1 > ${filename}";
-      down = "echo 0 > ${filename}";
-      dependencies = [iface];
-    };
+  services.packet_forwarding = svc.network.forward.build { };
 
   services.ntp = config.system.service.ntp.build {
     pools = { "pool.ntp.org" = ["iburst"] ; };