diff options
Diffstat (limited to 'system/firewall.nix')
-rw-r--r-- | system/firewall.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/system/firewall.nix b/system/firewall.nix new file mode 100644 index 0000000..289f635 --- /dev/null +++ b/system/firewall.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: + +let + inherit (builtins) length toString replaceStrings; + inherit (lib) flatten concatMapStringsSep optionalString splitString mkOption; + inherit (lib.types) listOf int either submodule enum str; + + inherit (config.nixsap.system.firewall) whitelist; + + iptablesAllow = { dport, protocol, source, comment, ... }: + let + ports = concatMapStringsSep "," toString (flatten [dport]); + iptables = if 1 < length (splitString ":" source) + then "ip6tables" else "iptables"; + in "${iptables} -w -A nixos-fw -m multiport " + + "-p ${protocol} --dport ${ports} -s ${source} -j nixos-fw-accept" + + optionalString (comment != "") + " -m comment --comment '${replaceStrings ["'"] ["'\\''"] comment} '"; + +in { + options.nixsap.system.firewall.whitelist = mkOption { + description = "Inbound connection rules (whitelist)"; + default = []; + type = listOf (submodule { + options = { + dport = mkOption { + description = "Destination port or list of ports"; + type = either int (listOf int); + }; + source = mkOption { + description = "Source specification: a network IP address (with optional /mask)"; + type = str; + }; + protocol = mkOption { + description = "The network protocol"; + type = enum [ "tcp" "udp" ]; + default = "tcp"; + }; + comment = mkOption { + description = "Free-form comment"; + type = str; + default = ""; + }; + }; + }); + }; + + config = { + networking.firewall.extraCommands = + concatMapStringsSep "\n" iptablesAllow whitelist; + }; +} |