pyrox.dev
1{ config, lib, pkgs, ... }:
2let
3 types = lib.types;
4 cfg = config.services.shorewall6;
5in {
6 options = {
7 services.shorewall6 = {
8 enable = lib.mkOption {
9 type = types.bool;
10 default = false;
11 description = ''
12 Whether to enable Shorewall IPv6 Firewall.
13
14 ::: {.warning}
15 Enabling this service WILL disable the existing NixOS
16 firewall! Default firewall rules provided by packages are not
17 considered at the moment.
18 :::
19 '';
20 };
21 package = lib.mkOption {
22 type = types.package;
23 default = pkgs.shorewall;
24 defaultText = lib.literalExpression "pkgs.shorewall";
25 description = "The shorewall package to use.";
26 };
27 configs = lib.mkOption {
28 type = types.attrsOf types.lines;
29 default = {};
30 description = ''
31 This option defines the Shorewall configs.
32 The attribute name defines the name of the config,
33 and the attribute value defines the content of the config.
34 '';
35 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
36 };
37 };
38 };
39
40 config = lib.mkIf cfg.enable {
41 systemd.services.firewall.enable = false;
42 systemd.services.shorewall6 = {
43 description = "Shorewall IPv6 Firewall";
44 after = [ "ipset.target" ];
45 before = [ "network-pre.target" ];
46 wants = [ "network-pre.target" ];
47 wantedBy = [ "multi-user.target" ];
48 reloadIfChanged = true;
49 restartTriggers = lib.attrValues cfg.configs;
50 serviceConfig = {
51 Type = "oneshot";
52 RemainAfterExit = "yes";
53 ExecStart = "${cfg.package}/bin/shorewall6 start";
54 ExecReload = "${cfg.package}/bin/shorewall6 reload";
55 ExecStop = "${cfg.package}/bin/shorewall6 stop";
56 };
57 preStart = ''
58 install -D -d -m 750 /var/lib/shorewall6
59 install -D -d -m 755 /var/lock/subsys
60 touch /var/log/shorewall6.log
61 chown 750 /var/log/shorewall6.log
62 '';
63 };
64 environment = {
65 etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall6/${name}" {source=conf;}) cfg.configs;
66 systemPackages = [ cfg.package ];
67 };
68 };
69}