diff options
author | Nuno Alves <nuno.alves02@gmail.com> | 2023-11-27 19:00:14 +0000 |
---|---|---|
committer | Nuno Alves <nuno.alves02@gmail.com> | 2023-12-02 22:42:12 +0000 |
commit | 24d9151d15168867b87669ee663e4d15a23ded91 (patch) | |
tree | 48f73120c4210766c99780ef320098f121700610 /nixos | |
parent | 679cb8ff4db11edf3ac27b188f75a3cc55909cd5 (diff) | |
download | nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar.gz nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar.bz2 nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar.lz nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar.xz nixlib-24d9151d15168867b87669ee663e4d15a23ded91.tar.zst nixlib-24d9151d15168867b87669ee663e4d15a23ded91.zip |
nixos/keepalived: add openFirewall option
Allow VRRP and AH (authentication packets) through the firewall automatically if the option is set.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/keepalived/default.nix | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index 29fbea5545c3..429a47c3962c 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -150,6 +150,14 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to automatically allow VRRP and AH packets in the firewall. + ''; + }; + enableScriptSecurity = mkOption { type = types.bool; default = false; @@ -282,6 +290,19 @@ in assertions = flatten (map vrrpInstanceAssertions vrrpInstances); + networking.firewall = lib.mkIf cfg.openFirewall { + extraCommands = '' + # Allow VRRP and AH packets + ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + + extraStopCommands = '' + ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + }; + systemd.timers.keepalived-boot-delay = { description = "Keepalive Daemon delay to avoid instant transition to MASTER state"; after = [ "network.target" "network-online.target" "syslog.target" ]; |