pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / shorewall6.nix
at master 2.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 types = lib.types; 9 cfg = config.services.shorewall6; 10in 11{ 12 options = { 13 services.shorewall6 = { 14 enable = lib.mkOption { 15 type = types.bool; 16 default = false; 17 description = '' 18 Whether to enable Shorewall IPv6 Firewall. 19 20 ::: {.warning} 21 Enabling this service WILL disable the existing NixOS 22 firewall! Default firewall rules provided by packages are not 23 considered at the moment. 24 ::: 25 ''; 26 }; 27 package = lib.mkPackageOption pkgs "shorewall" { }; 28 configs = lib.mkOption { 29 type = types.attrsOf types.lines; 30 default = { }; 31 description = '' 32 This option defines the Shorewall configs. 33 The attribute name defines the name of the config, 34 and the attribute value defines the content of the config. 35 ''; 36 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); 37 }; 38 }; 39 }; 40 41 config = lib.mkIf cfg.enable { 42 systemd.services.firewall.enable = false; 43 systemd.services.shorewall6 = { 44 description = "Shorewall IPv6 Firewall"; 45 after = [ "ipset.target" ]; 46 before = [ "network-pre.target" ]; 47 wants = [ "network-pre.target" ]; 48 wantedBy = [ "multi-user.target" ]; 49 reloadIfChanged = true; 50 restartTriggers = lib.attrValues cfg.configs; 51 serviceConfig = { 52 Type = "oneshot"; 53 RemainAfterExit = "yes"; 54 ExecStart = "${cfg.package}/bin/shorewall6 start"; 55 ExecReload = "${cfg.package}/bin/shorewall6 reload"; 56 ExecStop = "${cfg.package}/bin/shorewall6 stop"; 57 }; 58 preStart = '' 59 install -D -d -m 750 /var/lib/shorewall6 60 install -D -d -m 755 /var/lock/subsys 61 touch /var/log/shorewall6.log 62 chmod 750 /var/log/shorewall6.log 63 ''; 64 }; 65 environment = { 66 etc = lib.mapAttrs' ( 67 name: conf: lib.nameValuePair "shorewall6/${name}" { source = conf; } 68 ) cfg.configs; 69 systemPackages = [ cfg.package ]; 70 }; 71 }; 72}