diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 18 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd-unit-options.nix | 9 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 6 |
3 files changed, 29 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 42914bfe5d62..b97ec8b4d43a 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -264,7 +264,7 @@ in message = "This kernel does not support disabling conntrack helpers"; } ]; - systemd.services.firewall = + systemd.services.firewall = rec { description = "Firewall"; wantedBy = [ "network.target" ]; @@ -277,8 +277,12 @@ in # better have all necessary modules already loaded. unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; + reloadIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; script = '' @@ -417,11 +421,17 @@ in ip46tables -A INPUT -j nixos-fw ''; + reload = '' + ${helpers} + ip46tables -A INPUT -j DROP + ${script} + ip46tables -D INPUT -j DROP || true # extraCommands might delete the above rule and cause this to fail + ''; + postStop = '' ${helpers} ip46tables -D INPUT -j nixos-fw || true - #ip46tables -P INPUT ACCEPT ''; }; diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index a6183c47eb1b..48c3564ba078 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -230,6 +230,15 @@ in rec { ''; }; + reload = mkOption { + type = types.lines; + default = ""; + description = '' + Shell commands executed when the service's main process + is reloaded. + ''; + }; + preStop = mkOption { type = types.lines; default = ""; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e353e9246b0e..f2f7989ab4de 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -245,6 +245,12 @@ let ${config.postStart} ''; }) + (mkIf (config.reload != "") + { serviceConfig.ExecReload = makeJobScript "${name}-reload" '' + #! ${pkgs.stdenv.shell} -e + ${config.reload} + ''; + }) (mkIf (config.preStop != "") { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" '' #! ${pkgs.stdenv.shell} -e |