diff options
author | Ryan Mulligan <ryan@ryantm.com> | 2019-12-30 10:04:31 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-12-30 10:04:31 -0800 |
commit | 3a644e30b99bde0e6140f2f06c6dbef0de549e53 (patch) | |
tree | c53469654a27bb27ec1f69eb0fcf4a08f39556a5 /nixos/modules/services | |
parent | 97da2d22fed6b55d331c565a5817e97d74063397 (diff) | |
parent | 56a73dfb35f504e1251ca95db79f5e995676e65e (diff) | |
download | nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar.gz nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar.bz2 nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar.lz nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar.xz nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.tar.zst nixlib-3a644e30b99bde0e6140f2f06c6dbef0de549e53.zip |
Merge pull request #46131 from ju1m/shorewall
shorewall: init at 5.2.3.3
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/networking/shorewall.nix | 75 | ||||
-rw-r--r-- | nixos/modules/services/networking/shorewall6.nix | 75 |
2 files changed, 150 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/shorewall.nix b/nixos/modules/services/networking/shorewall.nix new file mode 100644 index 000000000000..0f94d414fcf7 --- /dev/null +++ b/nixos/modules/services/networking/shorewall.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall; +in { + options = { + services.shorewall = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv4 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall = { + description = "Shorewall IPv4 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall start"; + ExecReload = "${cfg.package}/bin/shorewall reload"; + ExecStop = "${cfg.package}/bin/shorewall stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall.log + chown 750 /var/log/shorewall.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixos/modules/services/networking/shorewall6.nix b/nixos/modules/services/networking/shorewall6.nix new file mode 100644 index 000000000000..9c22a037c0b4 --- /dev/null +++ b/nixos/modules/services/networking/shorewall6.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall6; +in { + options = { + services.shorewall6 = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv6 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall6 = { + description = "Shorewall IPv6 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall6 start"; + ExecReload = "${cfg.package}/bin/shorewall6 reload"; + ExecStop = "${cfg.package}/bin/shorewall6 stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall6 + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall6.log + chown 750 /var/log/shorewall6.log + ''; + }; + environment = { + etc = lib.mapAttrsToList + (name: file: + { source = file; + target = "shorewall6/${name}"; + }) + cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} |