diff --git a/nixos/modules/notnft.nix b/nixos/modules/notnft.nix index b3295bb..e52cf15 100644 --- a/nixos/modules/notnft.nix +++ b/nixos/modules/notnft.nix @@ -1,6 +1,12 @@ -{ pkgs, config, lib, notnft, ... }: -let - inherit (lib) +{ + pkgs, + config, + lib, + notnft, + ... +}: let + inherit + (lib) types mkOption mkDefault @@ -76,38 +82,41 @@ in { rule = mkOption { type = notnft.type.rule; readOnly = true; - default = with notnft.dsl; with payload; - [ jump "dns-drop" ]; + default = with notnft.dsl; with payload; [jump "dns-drop"]; }; }; }; }; config = { - networking.notnft.rules = with notnft.dsl; with payload; ruleset { - filter = add table { family = f: f.inet; } - (listToAttrs (filter (x: x != {}) [ - (optionalAttrs cfg.chains.dnsDrop.enable { - name = "dns-drop"; - value = add chain - [ (is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [ tcp udp ])) (is.eq th.dport 53) drop ]; - }) - ])); - }; + networking.notnft.rules = with notnft.dsl; + with payload; + ruleset { + filter = + add table {family = f: f.inet;} + (listToAttrs (filter (x: x != {}) [ + (optionalAttrs cfg.chains.dnsDrop.enable { + name = "dns-drop"; + value = + add chain + [(is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [tcp udp])) (is.eq th.dport 53) drop]; + }) + ])); + }; networking.notnft.json = builtins.toJSON { - nftables = (optional cfg.flush { flush.ruleset = null; }) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules; + nftables = (optional cfg.flush {flush.ruleset = null;}) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules; }; networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json; - boot.blacklistedKernelModules = [ "ip_tables" ]; - environment.systemPackages = [ pkgs.nftables ]; + boot.blacklistedKernelModules = ["ip_tables"]; + environment.systemPackages = [pkgs.nftables]; # networking.networkmanager.firewallBackend = mkDefault "nftables"; systemd.services.notnftables = { description = "notnftables firewall"; - before = [ "network-pre.target" ]; - wants = [ "network-pre.target" ]; - wantedBy = [ "multi-user.target" ]; + before = ["network-pre.target"]; + wants = ["network-pre.target"]; + wantedBy = ["multi-user.target"]; reloadIfChanged = true; serviceConfig = let startScript = pkgs.writeShellScript "start-nft.sh" ''