diff options
author | Igor Pashev <pashev.igor@gmail.com> | 2016-09-29 13:51:44 +0300 |
---|---|---|
committer | Igor Pashev <pashev.igor@gmail.com> | 2016-09-29 13:51:44 +0300 |
commit | 62f28d30a069135f9c48678507203958adfc334f (patch) | |
tree | 7f38af0c8d3f445ee8cc50906a639baec7011127 /modules/system/firewall.nix | |
parent | 1af9e6589bdd18e6ba7eeabf073aa7d710020cdd (diff) | |
download | nixsap-62f28d30a069135f9c48678507203958adfc334f.tar.gz |
Moved everything into ./modules
Diffstat (limited to 'modules/system/firewall.nix')
-rw-r--r-- | modules/system/firewall.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/modules/system/firewall.nix b/modules/system/firewall.nix new file mode 100644 index 0000000..289f635 --- /dev/null +++ b/modules/system/firewall.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: + +let + inherit (builtins) length toString replaceStrings; + inherit (lib) flatten concatMapStringsSep optionalString splitString mkOption; + inherit (lib.types) listOf int either submodule enum str; + + inherit (config.nixsap.system.firewall) whitelist; + + iptablesAllow = { dport, protocol, source, comment, ... }: + let + ports = concatMapStringsSep "," toString (flatten [dport]); + iptables = if 1 < length (splitString ":" source) + then "ip6tables" else "iptables"; + in "${iptables} -w -A nixos-fw -m multiport " + + "-p ${protocol} --dport ${ports} -s ${source} -j nixos-fw-accept" + + optionalString (comment != "") + " -m comment --comment '${replaceStrings ["'"] ["'\\''"] comment} '"; + +in { + options.nixsap.system.firewall.whitelist = mkOption { + description = "Inbound connection rules (whitelist)"; + default = []; + type = listOf (submodule { + options = { + dport = mkOption { + description = "Destination port or list of ports"; + type = either int (listOf int); + }; + source = mkOption { + description = "Source specification: a network IP address (with optional /mask)"; + type = str; + }; + protocol = mkOption { + description = "The network protocol"; + type = enum [ "tcp" "udp" ]; + default = "tcp"; + }; + comment = mkOption { + description = "Free-form comment"; + type = str; + default = ""; + }; + }; + }); + }; + + config = { + networking.firewall.extraCommands = + concatMapStringsSep "\n" iptablesAllow whitelist; + }; +} |