config/networking/services/firewall/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

{ config, lib, ... }:

let
  # { any } -> (string -> any -> string) -> string
  mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs);
  bracket = title: content:
    ''
      ${title} {
    '' + content + ''
      }
    '';
in {
  boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; };

  networking = {
    nftables = {
      enable = true;
      checkRuleset = false;
      ruleset = mapAttrsStrings (import ./ruleset.nix {
        inherit lib;
        nets = config.personal.networking.networks;
      }) (family: tables:
        mapAttrsStrings tables (tableName:
          { flowtables, chains, ... }:
          bracket "table ${family} ${tableName}" (
            mapAttrsStrings flowtables
              (flowtableName: flowtable:
                bracket "flowtable ${flowtableName}" (with flowtable;
                  ''
                    hook ${hook} priority ${priority}; devices = { ${
                      lib.concatStringsSep ", " devices
                    } };
                  '' + lib.optionalString offload ''
                    flags offload;
                  ''
                )
              )
            + mapAttrsStrings chains (chainName: chain:
                  bracket "chain ${chainName}" (
                    lib.optionalString (chain ? base) (with chain.base; ''
                      type ${type} hook ${hook} priority ${priority}; policy ${policy};
                    '')
                    + chain.rules
                  )
            )
          )
        )
      );
    };
    firewall.enable = lib.mkForce false;
  };
}