pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.ferm;
7
8 configFile = pkgs.stdenv.mkDerivation {
9 name = "ferm.conf";
10 text = cfg.config;
11 preferLocalBuild = true;
12 buildCommand = ''
13 echo -n "$text" > $out
14 ${cfg.package}/bin/ferm --noexec $out
15 '';
16 };
17in {
18 options = {
19 services.ferm = {
20 enable = mkOption {
21 default = false;
22 type = types.bool;
23 description = ''
24 Whether to enable Ferm Firewall.
25 *Warning*: Enabling this service WILL disable the existing NixOS
26 firewall! Default firewall rules provided by packages are not
27 considered at the moment.
28 '';
29 };
30 config = mkOption {
31 description = "Verbatim ferm.conf configuration.";
32 default = "";
33 defaultText = literalMD "empty firewall, allows any traffic";
34 type = types.lines;
35 };
36 package = mkPackageOption pkgs "ferm" { };
37 };
38 };
39
40 config = mkIf cfg.enable {
41 systemd.services.firewall.enable = false;
42 systemd.services.ferm = {
43 description = "Ferm Firewall";
44 after = [ "ipset.target" ];
45 before = [ "network-pre.target" ];
46 wants = [ "network-pre.target" ];
47 wantedBy = [ "multi-user.target" ];
48 reloadIfChanged = true;
49 serviceConfig = {
50 Type="oneshot";
51 RemainAfterExit = "yes";
52 ExecStart = "${cfg.package}/bin/ferm ${configFile}";
53 ExecReload = "${cfg.package}/bin/ferm ${configFile}";
54 ExecStop = "${cfg.package}/bin/ferm -F ${configFile}";
55 };
56 };
57 };
58}