]> Git — Sourcephile - sourcephile-nix.git/blob - install/overlays/tools/networking/shorewall6/service.nix
gpg: fix GNUPGHOME export
[sourcephile-nix.git] / install / overlays / tools / networking / shorewall6 / service.nix
1 { config, lib, pkgs, ... }:
2 let
3 types = lib.types;
4 cfg = config.services.shorewall6;
5 in {
6 options = {
7 services.shorewall6 = {
8 enable = lib.mkOption {
9 type = types.bool;
10 default = false;
11 description = ''
12 Whether to enable Shorewall Firewall.
13 *Warning*: Enabling this service WILL disable the existing NixOS
14 firewall! Default firewall rules provided by packages are not
15 considered at the moment.
16 '';
17 };
18 package = lib.mkOption {
19 type = types.package;
20 default = pkgs.shorewall6;
21 defaultText = "pkgs.shorewall6";
22 description = "The shorewall6 package to use.";
23 };
24 configs = lib.mkOption {
25 type = types.attrsOf types.str;
26 default = {};
27 description = ''
28 This option defines the Shorewall configs.
29 The attribute name defines the name of the config,
30 and the attribute value defines the content of the config.
31 '';
32 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
33 };
34 };
35 };
36
37 config = lib.mkIf cfg.enable {
38 systemd.services.firewall.enable = false;
39 systemd.services.shorewall6 = {
40 description = "Shorewall IPv6 Firewall";
41 after = [ "ipset.target" ];
42 before = [ "network-pre.target" ];
43 wants = [ "network-pre.target" ];
44 wantedBy = [ "multi-user.target" ];
45 reloadIfChanged = true;
46 restartTriggers = lib.attrValues cfg.configs;
47 serviceConfig = {
48 Type = "oneshot";
49 RemainAfterExit = "yes";
50 ExecStart = "${cfg.package}/bin/shorewall6 start";
51 ExecReload = "${cfg.package}/bin/shorewall6 reload";
52 ExecStop = "${cfg.package}/bin/shorewall6 stop";
53 };
54 preStart = ''
55 install -D -d -m 750 /var/lib/shorewall6
56 install -D -d -m 755 /var/lock/subsys
57 touch /var/log/shorewall6.log
58 chown 750 /var/log/shorewall6.log
59 '';
60 };
61 environment = {
62 etc = lib.mapAttrsToList
63 (name: file:
64 { source = file;
65 target = "shorewall6/${name}";
66 })
67 cfg.configs;
68 systemPackages = [ cfg.package ];
69 };
70 };
71 }