diff options
Diffstat (limited to 'config/networking/services/firewall/default.nix')
| -rw-r--r-- | config/networking/services/firewall/default.nix | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/config/networking/services/firewall/default.nix b/config/networking/services/firewall/default.nix index 878e7cc..b76174a 100644 --- a/config/networking/services/firewall/default.nix +++ b/config/networking/services/firewall/default.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let - # { any } -> (string -> any -> [ string ]) -> string + # { any } -> (string -> any -> string) -> string mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs); bracket = title: content: '' @@ -15,16 +15,36 @@ in { networking = { nftables = { enable = true; - ruleset = mapAttrsStrings - (import ./ruleset.nix config.personal.networking.networks) - (family: tables: - mapAttrsStrings tables (tableName: chains: - bracket "table ${family} ${tableName}" (mapAttrsStrings chains - (chainName: chain: - bracket "chain ${chainName}" (lib.optionalString (chain ? base) - (with chain.base; '' - type ${type} hook ${hook} priority ${priority}; policy ${policy}; - '') + chain.rules))))); + ruleset = mapAttrsStrings (import ./ruleset.nix { + inherit lib; + nets = config.personal.networking.networks; + }) (family: tables: + mapAttrsStrings tables (tableName: + { flowtables, chains, ... }: + bracket "table ${family} ${tableName}" ( + mapAttrsStrings flowtables + (flowtableName: flowtable: + bracket "flowtable ${flowtableName}" (with flowtable; + '' + hook ${hook} priority ${priority}; devices = { ${ + lib.concatStringsSep ", " devices + } }; + '' + lib.optionalString offload '' + flags offload; + '' + ) + ) + + mapAttrsStrings chains (chainName: chain: + bracket "chain ${chainName}" ( + lib.optionalString (chain ? base) (with chain.base; '' + type ${type} hook ${hook} priority ${priority}; policy ${policy}; + '') + + chain.rules + ) + ) + ) + ) + ); }; firewall.enable = lib.mkForce false; }; |