default = "${config.networking.hostName}.${config.networking.domain}";
description = "Fully Qualified Domain Name of the machine.";
};
- networking.net = lib.mkOption {
- default = null;
- type = types.nullOr (types.submodule {
+ networking.zones = lib.mkOption {
+ type = types.attrsOf (types.submodule ({zone, ...}: {
options = {
iface = lib.mkOption {
type = types.str;
description = "Static IPv4 address of the machine.";
example = "1.2.3.4";
};
- };
- });
- };
- networking.lan = lib.mkOption {
- default = null;
- type = types.nullOr (types.submodule {
- options = {
- iface = lib.mkOption {
- type = types.str;
- description = "Interface name.";
- example = "eth0";
- };
- ipv4 = lib.mkOption {
+ ipv6 = lib.mkOption {
type = types.str;
- description = "Static IPv4 address of the machine.";
- example = "192.168.1.1";
+ description = "Static IPv6 address of the machine.";
+ example = "fe80::1";
};
};
- });
+ }));
};
};
config = {
- fqdn = "millogic.coop";
+ fqdn = "cologic.coop";
networking = {
- domain = "millogic.coop";
+ domain = "cologic.coop";
};
#fqdn = "machine1.logic.coop";
{pkgs, lib, config, ...}:
-let inherit (config.services) shorewall shorewall6;
- when = x: y: if x == null then "" else y;
+let inherit (builtins) hasAttr;
+ inherit (config.services) shorewall shorewall6;
+ unlines = lib.concatStringsSep "\n";
+ zones4 = config.networking.zones;
+ zones6 = config.networking.zones;
in
{
config = {
zones = ''
# DOC: shorewall-zones(5)
fw firewall
- ${when config.networking.net "net ipv4"}
- ${when config.networking.lan "lan ipv4"}
- '';
+ '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv4") zones4);
interfaces = ''
# DOC: shorewall-interfaces(5)
?FORMAT 2
- ${when config.networking.net "net ${config.networking.net.iface} arp_filter,nosmurfs,routefilter,tcpflags"}
- ${when config.networking.lan "lan ${config.networking.lan.iface} arp_filter,nosmurfs,routefilter,tcpflags"}
- '';
+ '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
+ "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4);
policy = ''
# DOC: shorewall-policy(5)
$FW all DROP
- ${when config.networking.net "net all DROP none"}
- ${when config.networking.lan "lan all DROP none"}
+ '' + unlines (lib.mapAttrsToList (zone: _:
+ "${zone} all DROP none") zones4)
+ + ''
# XXX: the following policy must be last
all all REJECT none
'';
#SECTION RELATED
?SECTION NEW
''
- + when config.networking.lan ''
+ + lib.optionalString (hasAttr "lan" zones4) ''
# ----------
# $FW -> lan
# ----------
- ACCEPT $FW lan:${config.networking.lan.ipv4}/24
+ ACCEPT $FW lan:${config.networking.zones.lan.ipv4}/24
# ----------
# lan -> $FW
# ----------
- ACCEPT lan:${config.networking.lan.ipv4}/24 $FW
+ ACCEPT lan:${config.networking.zones.lan.ipv4}/24 $FW
''
- + when config.networking.net ''
+ + lib.optionalString (hasAttr "net" zones4) ''
# ----------
# $FW -> net
# ----------
zones = ''
# DOC: shorewall-zones(5)
fw firewall
- ${when config.networking.net "net ipv6"}
- ${when config.networking.lan "lan ipv6"}
- '';
+ '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv6") zones6);
interfaces = ''
# DOC: shorewall-interfaces(5)
?FORMAT 2
- ${when config.networking.net "net ${config.networking.net.iface} nosmurfs,tcpflags"}
- ${when config.networking.lan "lan ${config.networking.lan.iface} nosmurfs,tcpflags"}
- '';
+ '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
+ "${zone} ${iface} nosmurfs,tcpflags") zones6);
policy = ''
# DOC: shorewall-policy(5)
$FW all DROP
- ${when config.networking.net "net all DROP none"}
- ${when config.networking.lan "lan all DROP none"}
+ '' + unlines (lib.mapAttrsToList (zone: _:
+ "${zone} all DROP none") zones6)
+ + ''
# XXX: the following policy must be last
all all REJECT none
'';
#SECTION RELATED
?SECTION NEW
''
- + when config.networking.lan ''
+ + lib.optionalString (hasAttr "lan" zones6) ''
# ----------
# $FW -> lan
# ----------
sourcephile / git / sourcephile-nix.git / commitdiff