pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.ferm;
7
8 configFile = pkgs.stdenv.mkDerivation {
9 name = "ferm.conf";
10 text = cfg.config;
11 preferLocalBuild = true;
12 buildCommand = ''
13 echo -n "$text" > $out
14 ${cfg.package}/bin/ferm --noexec $out
15 '';
16 };
17in {
18 options = {
19 services.ferm = {
20 enable = mkOption {
21 default = false;
22 example = true;
23 type = types.bool;
24 description = ''
25 Whether to enable Ferm Firewall.
26 *Warning*: Enabling this service WILL disable the existing NixOS
27 firewall! Default firewall rules provided by packages are not
28 considered at the moment.
29 '';
30 };
31 config = mkOption {
32 description = "Verbatim ferm.conf configuration.";
33 default = "";
34 defaultText = "empty firewall, allows any traffic";
35 type = types.lines;
36 };
37 package = mkOption {
38 description = "The ferm package.";
39 type = types.package;
40 default = pkgs.ferm;
41 defaultText = "pkgs.ferm";
42 };
43 };
44 };
45
46 config = mkIf cfg.enable {
47 systemd.services.firewall.enable = false;
48 systemd.services.ferm = {
49 description = "Ferm Firewall";
50 after = [ "ipset.target" ];
51 before = [ "network-pre.target" ];
52 wants = [ "network-pre.target" ];
53 wantedBy = [ "multi-user.target" ];
54 serviceConfig = {
55 Type="oneshot";
56 RemainAfterExit = "yes";
57 ExecStart = "${cfg.package}/bin/ferm ${configFile}";
58 ExecReload = "${cfg.package}/bin/ferm ${configFile}";
59 ExecStop = "${cfg.package}/bin/ferm -F ${configFile}";
60 };
61 };
62 };
63}