install/overlays/tools/networking/shorewall6/service.nix

   1 { config, lib, pkgs, ... }:
   2 let
   3   types = lib.types;
   4   cfg = config.services.shorewall6;
   5 in {
   6   options = {
   7     services.shorewall6 = {
   8       enable = lib.mkOption {
   9         type        = types.bool;
  10         default     = false;
  11         description = ''
  12           Whether to enable Shorewall Firewall.
  13           *Warning*: Enabling this service WILL disable the existing NixOS
  14           firewall! Default firewall rules provided by packages are not
  15           considered at the moment.
  16         '';
  17       };
  18       package = lib.mkOption {
  19         type        = types.package;
  20         default     = pkgs.shorewall6;
  21         defaultText = "pkgs.shorewall6";
  22         description = "The shorewall6 package to use.";
  23       };
  24       configs = lib.mkOption {
  25         type        = types.attrsOf types.str;
  26         default     = {};
  27         description = ''
  28           This option defines the Shorewall configs.
  29           The attribute name defines the name of the config,
  30           and the attribute value defines the content of the config.
  31         '';
  32         apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
  33       };
  34     };
  35   };
  36
  37   config = lib.mkIf cfg.enable {
  38     systemd.services.firewall.enable = false;
  39     systemd.services.shorewall6 = {
  40       description      = "Shorewall IPv6 Firewall";
  41       after            = [ "ipset.target" ];
  42       before           = [ "network-pre.target" ];
  43       wants            = [ "network-pre.target" ];
  44       wantedBy         = [ "multi-user.target" ];
  45       reloadIfChanged  = true;
  46       restartTriggers  = lib.attrValues cfg.configs;
  47       serviceConfig = {
  48         Type            = "oneshot";
  49         RemainAfterExit = "yes";
  50         ExecStart       = "${cfg.package}/bin/shorewall6 start";
  51         ExecReload      = "${cfg.package}/bin/shorewall6 reload";
  52         ExecStop        = "${cfg.package}/bin/shorewall6 stop";
  53       };
  54       preStart = ''
  55         install -D -d -m 750 /var/lib/shorewall6
  56         install -D -d -m 755 /var/lock/subsys
  57         touch                /var/log/shorewall6.log
  58         chown 750            /var/log/shorewall6.log
  59       '';
  60     };
  61     environment = {
  62       etc = lib.mapAttrsToList
  63               (name: file:
  64                 { source = file;
  65                   target = "shorewall6/${name}";
  66                 })
  67               cfg.configs;
  68       systemPackages = [ cfg.package ];
  69     };
  70   };
  71 }