pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.ferm;
9
10 configFile = pkgs.stdenv.mkDerivation {
11 name = "ferm.conf";
12 text = cfg.config;
13 preferLocalBuild = true;
14 buildCommand = ''
15 echo -n "$text" > $out
16 ${cfg.package}/bin/ferm --noexec $out
17 '';
18 };
19in
20{
21 options = {
22 services.ferm = {
23 enable = lib.mkOption {
24 default = false;
25 type = lib.types.bool;
26 description = ''
27 Whether to enable Ferm Firewall.
28 *Warning*: Enabling this service WILL disable the existing NixOS
29 firewall! Default firewall rules provided by packages are not
30 considered at the moment.
31 '';
32 };
33 config = lib.mkOption {
34 description = "Verbatim ferm.conf configuration.";
35 default = "";
36 defaultText = lib.literalMD "empty firewall, allows any traffic";
37 type = lib.types.lines;
38 };
39 package = lib.mkPackageOption pkgs "ferm" { };
40 };
41 };
42
43 config = lib.mkIf cfg.enable {
44 systemd.services.firewall.enable = false;
45 systemd.services.ferm = {
46 description = "Ferm Firewall";
47 after = [ "ipset.target" ];
48 before = [ "network-pre.target" ];
49 wants = [ "network-pre.target" ];
50 wantedBy = [ "multi-user.target" ];
51 reloadIfChanged = true;
52 serviceConfig = {
53 Type = "oneshot";
54 RemainAfterExit = "yes";
55 ExecStart = "${cfg.package}/bin/ferm ${configFile}";
56 ExecReload = "${cfg.package}/bin/ferm ${configFile}";
57 ExecStop = "${cfg.package}/bin/ferm -F ${configFile}";
58 };
59 };
60 };
61}