]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/networking/shorewall.nix
mermet: add unlock target.
[sourcephile-nix.git] / nixos / modules / services / networking / shorewall.nix
1 { config, lib, pkgs, ... }:
2 let
3 types = lib.types;
4 cfg = config.services.shorewall;
5 in {
6 options = {
7 services.shorewall = {
8 enable = lib.mkOption {
9 type = types.bool;
10 default = false;
11 description = ''
12 Whether to enable Shorewall IPv4 Firewall.
13 <warning>
14 <para>
15 Enabling this service WILL disable the existing NixOS
16 firewall! Default firewall rules provided by packages are not
17 considered at the moment.
18 </para>
19 </warning>
20 '';
21 };
22 package = lib.mkOption {
23 type = types.package;
24 default = pkgs.shorewall;
25 defaultText = "pkgs.shorewall";
26 description = "The shorewall package to use.";
27 };
28 configs = lib.mkOption {
29 type = types.attrsOf types.str;
30 default = {};
31 description = ''
32 This option defines the Shorewall configs.
33 The attribute name defines the name of the config,
34 and the attribute value defines the content of the config.
35 '';
36 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
37 };
38 };
39 };
40
41 config = lib.mkIf cfg.enable {
42 /*
43 systemd.services.firewall.enable = false;
44 systemd.services.shorewall = {
45 description = "Shorewall IPv4 Firewall";
46 after = [ "ipset.target" ];
47 before = [ "network-pre.target" ];
48 wants = [ "network-pre.target" ];
49 wantedBy = [ "multi-user.target" ];
50 reloadIfChanged = true;
51 restartTriggers = lib.attrValues cfg.configs;
52 serviceConfig = {
53 Type = "oneshot";
54 RemainAfterExit = "yes";
55 ExecStart = "${cfg.package}/bin/shorewall start";
56 ExecReload = "${cfg.package}/bin/shorewall reload";
57 ExecStop = "${cfg.package}/bin/shorewall stop";
58 };
59 preStart = ''
60 install -D -d -m 750 /var/lib/shorewall
61 install -D -d -m 755 /var/lock/subsys
62 touch /var/log/shorewall.log
63 chown 750 /var/log/shorewall.log
64 '';
65 };
66 environment = {
67 etc = lib.mapAttrsToList
68 (name: file:
69 { source = file;
70 target = "shorewall/${name}";
71 })
72 cfg.configs;
73 systemPackages = [ cfg.package ];
74 };
75 */
76 };
77 }