diff --git a/nixos/modules/notnft.nix b/nixos/modules/notnft.nix index 06dd260..b3295bb 100644 --- a/nixos/modules/notnft.nix +++ b/nixos/modules/notnft.nix @@ -11,14 +11,34 @@ let listToAttrs optional filter - optionalString; + optionalString + ; cfg = config.networking.notnft; - jsonFormat = (pkgs.formats.json {}); -in -{ + jsonFormat = pkgs.formats.json {}; +in { options.networking.notnft = { enable = mkEnableOption "notnft"; + preStart = mkOption { + type = types.lines; + default = ""; + }; + + postStart = mkOption { + type = types.lines; + default = ""; + }; + + preStop = mkOption { + type = types.lines; + default = ""; + }; + + postStop = mkOption { + type = types.lines; + default = ""; + }; + preRules = mkOption { type = types.listOf jsonFormat.type; default = []; @@ -91,7 +111,15 @@ in reloadIfChanged = true; serviceConfig = let startScript = pkgs.writeShellScript "start-nft.sh" '' + ${cfg.preStart} ${pkgs.buildPackages.nftables}/bin/nft -j -f ${cfg.jsonFile} + ${cfg.postStart} + ''; + + stopScript = pkgs.writeShellScript "stop-nft.sh" '' + ${cfg.preStop} + ${optionalString cfg.flush "${pkgs.nftables}/bin/nft flush ruleset"} + ${cfg.postStop} ''; # rulesScript = pkgs.writeTextFile { # name = "nftables-rules"; @@ -116,7 +144,7 @@ in RemainAfterExit = true; ExecStart = startScript; ExecReload = startScript; - ExecStop = optionalString cfg.flush "${pkgs.nftables}/bin/nft flush ruleset"; + ExecStop = stopScript; }; }; };