magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remormat notnft module

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-01-18 13:16:00 +01:00
parent 82774bc978
commit 97d1ff5896
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
1 changed files with 30 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
nixos/modules/notnft.nix
View file

@ -1,6 +1,12 @@
{ pkgs, config, lib, notnft, ... }: {
let pkgs,
inherit (lib) config,
lib,
notnft,
...
}: let
inherit
(lib)
types types
mkOption mkOption
mkDefault mkDefault
@ -76,38 +82,41 @@ in {
rule = mkOption { rule = mkOption {
type = notnft.type.rule; type = notnft.type.rule;
readOnly = true; readOnly = true;
default = with notnft.dsl; with payload; default = with notnft.dsl; with payload; [jump "dns-drop"];
[ jump "dns-drop" ];
}; };
}; };
}; };
}; };
config = { config = {
networking.notnft.rules = with notnft.dsl; with payload; ruleset { networking.notnft.rules = with notnft.dsl;
filter = add table { family = f: f.inet; } with payload;
(listToAttrs (filter (x: x != {}) [ ruleset {
(optionalAttrs cfg.chains.dnsDrop.enable { filter =
name = "dns-drop"; add table {family = f: f.inet;}
value = add chain (listToAttrs (filter (x: x != {}) [
[ (is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [ tcp udp ])) (is.eq th.dport 53) drop ]; (optionalAttrs cfg.chains.dnsDrop.enable {
}) name = "dns-drop";
])); value =
}; add chain
[(is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [tcp udp])) (is.eq th.dport 53) drop];
})
]));
};
networking.notnft.json = builtins.toJSON { networking.notnft.json = builtins.toJSON {
nftables = (optional cfg.flush { flush.ruleset = null; }) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules; nftables = (optional cfg.flush {flush.ruleset = null;}) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
}; };
networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json; networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json;
boot.blacklistedKernelModules = [ "ip_tables" ]; boot.blacklistedKernelModules = ["ip_tables"];
environment.systemPackages = [ pkgs.nftables ]; environment.systemPackages = [pkgs.nftables];
# networking.networkmanager.firewallBackend = mkDefault "nftables"; # networking.networkmanager.firewallBackend = mkDefault "nftables";
systemd.services.notnftables = { systemd.services.notnftables = {
description = "notnftables firewall"; description = "notnftables firewall";
before = [ "network-pre.target" ]; before = ["network-pre.target"];
wants = [ "network-pre.target" ]; wants = ["network-pre.target"];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
reloadIfChanged = true; reloadIfChanged = true;
serviceConfig = let serviceConfig = let
startScript = pkgs.writeShellScript "start-nft.sh" '' startScript = pkgs.writeShellScript "start-nft.sh" ''