Remormat notnft module

Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-01-18 13:16:00 +01:00
parent 82774bc978
commit 97d1ff5896
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E

View file

@ -1,6 +1,12 @@
{ pkgs, config, lib, notnft, ... }:
let
inherit (lib)
{
pkgs,
config,
lib,
notnft,
...
}: let
inherit
(lib)
types
mkOption
mkDefault
@ -76,38 +82,41 @@ in {
rule = mkOption {
type = notnft.type.rule;
readOnly = true;
default = with notnft.dsl; with payload;
[ jump "dns-drop" ];
default = with notnft.dsl; with payload; [jump "dns-drop"];
};
};
};
};
config = {
networking.notnft.rules = with notnft.dsl; with payload; ruleset {
filter = add table { family = f: f.inet; }
(listToAttrs (filter (x: x != {}) [
(optionalAttrs cfg.chains.dnsDrop.enable {
name = "dns-drop";
value = add chain
[ (is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [ tcp udp ])) (is.eq th.dport 53) drop ];
})
]));
};
networking.notnft.rules = with notnft.dsl;
with payload;
ruleset {
filter =
add table {family = f: f.inet;}
(listToAttrs (filter (x: x != {}) [
(optionalAttrs cfg.chains.dnsDrop.enable {
name = "dns-drop";
value =
add chain
[(is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [tcp udp])) (is.eq th.dport 53) drop];
})
]));
};
networking.notnft.json = builtins.toJSON {
nftables = (optional cfg.flush { flush.ruleset = null; }) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
nftables = (optional cfg.flush {flush.ruleset = null;}) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
};
networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json;
boot.blacklistedKernelModules = [ "ip_tables" ];
environment.systemPackages = [ pkgs.nftables ];
boot.blacklistedKernelModules = ["ip_tables"];
environment.systemPackages = [pkgs.nftables];
# networking.networkmanager.firewallBackend = mkDefault "nftables";
systemd.services.notnftables = {
description = "notnftables firewall";
before = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
before = ["network-pre.target"];
wants = ["network-pre.target"];
wantedBy = ["multi-user.target"];
reloadIfChanged = true;
serviceConfig = let
startScript = pkgs.writeShellScript "start-nft.sh" ''