From 491c4bf6b4596b486b12724e9124a854cc7abc26 Mon Sep 17 00:00:00 2001 From: "quentin@aristote.fr" Date: Sun, 29 Sep 2024 19:56:08 +0200 Subject: migrate hostapd config --- config/networking/services/firewall/default.nix | 80 +++++++++++++++---------- 1 file changed, 47 insertions(+), 33 deletions(-) (limited to 'config/networking/services/firewall/default.nix') diff --git a/config/networking/services/firewall/default.nix b/config/networking/services/firewall/default.nix index d7a541f..1054a39 100644 --- a/config/networking/services/firewall/default.nix +++ b/config/networking/services/firewall/default.nix @@ -1,51 +1,65 @@ -{ config, lib, ... }: - -let +{ + config, + lib, + ... +}: let # { any } -> (string -> any -> string) -> string mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs); bracket = title: content: '' ${title} { - '' + content + '' + '' + + content + + '' } ''; in { - boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; + boot.kernel.sysctl = {"net.ipv4.conf.all.forwarding" = true;}; networking = { nftables = { enable = true; checkRuleset = false; - ruleset = mapAttrsStrings (import ./ruleset.nix { - inherit lib; - nets = config.personal.networking.networks; - }) (family: tables: - mapAttrsStrings tables (tableName: - { flowtables, chains, ... }: - bracket "table ${family} ${tableName}" ( - mapAttrsStrings flowtables - (flowtableName: flowtable: - bracket "flowtable ${flowtableName}" (with flowtable; - '' - hook ${hook} priority ${priority}; devices = { ${ - lib.concatStringsSep ", " devices - } }; - '' + lib.optionalString offload '' - flags offload; - '' - ) - ) - + mapAttrsStrings chains (chainName: chain: - bracket "chain ${chainName}" ( - lib.optionalString (chain ? base) (with chain.base; '' - type ${type} hook ${hook} priority ${priority}; policy ${policy}; - '') - + chain.rules + ruleset = + mapAttrsStrings (import ./ruleset.nix { + inherit lib; + inherit (config.personal.networking) interfaces; + }) ( + family: tables: + mapAttrsStrings tables ( + tableName: { + flowtables, + chains, + ... + }: + bracket "table ${family} ${tableName}" ( + mapAttrsStrings flowtables + ( + flowtableName: flowtable: + bracket "flowtable ${flowtableName}" ( + with flowtable; + '' + hook ${hook} priority ${priority}; devices = { ${ + lib.concatStringsSep ", " devices + } }; + '' + + lib.optionalString offload '' + flags offload; + '' + ) ) + + mapAttrsStrings chains ( + chainName: chain: + bracket "chain ${chainName}" ( + lib.optionalString (chain ? base) (with chain.base; '' + type ${type} hook ${hook} priority ${priority}; policy ${policy}; + '') + + chain.rules + ) + ) + ) ) - ) - ) - ); + ); }; firewall.enable = lib.mkForce false; }; -- cgit v1.2.3