pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 types = lib.types;
9 cfg = config.services.shorewall;
10in
11{
12 options = {
13 services.shorewall = {
14 enable = lib.mkOption {
15 type = types.bool;
16 default = false;
17 description = ''
18 Whether to enable Shorewall IPv4 Firewall.
19
20 ::: {.warning}
21 Enabling this service WILL disable the existing NixOS
22 firewall! Default firewall rules provided by packages are not
23 considered at the moment.
24 :::
25 '';
26 };
27 package = lib.mkOption {
28 type = types.package;
29 default = pkgs.shorewall;
30 defaultText = lib.literalExpression "pkgs.shorewall";
31 description = "The shorewall package to use.";
32 };
33 configs = lib.mkOption {
34 type = types.attrsOf types.lines;
35 default = { };
36 description = ''
37 This option defines the Shorewall configs.
38 The attribute name defines the name of the config,
39 and the attribute value defines the content of the config.
40 '';
41 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
42 };
43 };
44 };
45
46 config = lib.mkIf cfg.enable {
47 systemd.services.firewall.enable = false;
48 systemd.services.shorewall = {
49 description = "Shorewall IPv4 Firewall";
50 after = [ "ipset.target" ];
51 before = [ "network-pre.target" ];
52 wants = [ "network-pre.target" ];
53 wantedBy = [ "multi-user.target" ];
54 reloadIfChanged = true;
55 restartTriggers = lib.attrValues cfg.configs;
56 serviceConfig = {
57 Type = "oneshot";
58 RemainAfterExit = "yes";
59 ExecStart = "${cfg.package}/bin/shorewall start";
60 ExecReload = "${cfg.package}/bin/shorewall reload";
61 ExecStop = "${cfg.package}/bin/shorewall stop";
62 };
63 preStart = ''
64 install -D -d -m 750 /var/lib/shorewall
65 install -D -d -m 755 /var/lock/subsys
66 touch /var/log/shorewall.log
67 chmod 750 /var/log/shorewall.log
68 '';
69 };
70 environment = {
71 etc = lib.mapAttrs' (
72 name: conf: lib.nameValuePair "shorewall/${name}" { source = conf; }
73 ) cfg.configs;
74 systemPackages = [ cfg.package ];
75 };
76 };
77}