dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/modules/firewall: Inherit networking.firewall.allowed*Ports

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-02-17 17:08:25 +00:00
parent 21ce843a8f
commit 778f635542
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/common.nix
View File

@ -122,7 +122,7 @@ in
};
openssh = {
enable = true;
enable = mkDefault true;
};
};

8
nixos/modules/firewall.nix
View File

@ -10,7 +10,7 @@ in
enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";
trustedInterfaces = options.networking.firewall.trustedInterfaces;
tcp = {
allowed = mkOpt' (listOf (either port str)) [ "ssh" ] "TCP ports to open.";
allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";
};
udp = {
allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
@ -32,14 +32,16 @@ in
ruleset =
let
trusted' = "{ ${concatStringsSep ", " cfg.trustedInterfaces} }";
openTCP = cfg.tcp.allowed ++ config.networking.firewall.allowedTCPPorts;
openUDP = cfg.udp.allowed ++ config.networking.firewall.allowedUDPPorts;
in
''
table inet filter {
chain wan-tcp {
${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") cfg.tcp.allowed}
${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP}
}
chain wan-udp {
${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") cfg.udp.allowed}
${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP}
}
chain wan {