Remormat notnft module

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-22 08:04:20 +01:00 · 2024-01-18 13:16:00 +01:00 · 2024-01-18 13:16:00 +01:00 · 97d1ff5896
parent 82774bc978
commit 97d1ff5896
1 changed files with 30 additions and 21 deletions
--- a/nixos/modules/notnft.nix
+++ b/nixos/modules/notnft.nix
@ -1,6 +1,12 @@
-{ pkgs, config, lib, notnft, ... }:
-let
-  inherit (lib)
+{
+  pkgs,
+  config,
+  lib,
+  notnft,
+  ...
+}: let
+  inherit
+    (lib)
    types
    mkOption
    mkDefault
@ -76,38 +82,41 @@ in {
        rule = mkOption {
          type = notnft.type.rule;
          readOnly = true;
-          default = with notnft.dsl; with payload;
-            [ jump "dns-drop" ];
+          default = with notnft.dsl; with payload; [jump "dns-drop"];
        };
      };
    };
  };

  config = {
-    networking.notnft.rules = with notnft.dsl; with payload; ruleset {
-      filter = add table { family = f: f.inet; }
-        (listToAttrs (filter (x: x != {}) [
-          (optionalAttrs cfg.chains.dnsDrop.enable {
-            name = "dns-drop";
-            value = add chain
-              [ (is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [ tcp udp ])) (is.eq th.dport 53) drop ];
-          })
-        ]));
-    };
+    networking.notnft.rules = with notnft.dsl;
+    with payload;
+      ruleset {
+        filter =
+          add table {family = f: f.inet;}
+          (listToAttrs (filter (x: x != {}) [
+            (optionalAttrs cfg.chains.dnsDrop.enable {
+              name = "dns-drop";
+              value =
+                add chain
+                [(is.ne ip.daddr "10.64.2.1") (is.eq ip.protocol (f: with f; set [tcp udp])) (is.eq th.dport 53) drop];
+            })
+          ]));
+      };

    networking.notnft.json = builtins.toJSON {
-      nftables = (optional cfg.flush { flush.ruleset = null; }) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
+      nftables = (optional cfg.flush {flush.ruleset = null;}) ++ cfg.preRules ++ cfg.rules.nftables ++ cfg.postRules;
    };
    networking.notnft.jsonFile = pkgs.writeText "rules.json" cfg.json;

-    boot.blacklistedKernelModules = [ "ip_tables" ];
-    environment.systemPackages = [ pkgs.nftables ];
+    boot.blacklistedKernelModules = ["ip_tables"];
+    environment.systemPackages = [pkgs.nftables];
    # networking.networkmanager.firewallBackend = mkDefault "nftables";
    systemd.services.notnftables = {
      description = "notnftables firewall";
-      before = [ "network-pre.target" ];
-      wants = [ "network-pre.target" ];
-      wantedBy = [ "multi-user.target" ];
+      before = ["network-pre.target"];
+      wants = ["network-pre.target"];
+      wantedBy = ["multi-user.target"];
      reloadIfChanged = true;
      serviceConfig = let
        startScript = pkgs.writeShellScript "start-nft.sh" ''