move iptables.nix to krebs

This commit is contained in:
lassulus 2015-10-01 22:10:21 +02:00
parent e8a17e7e9c
commit 1078d1a8a3
2 changed files with 19 additions and 19 deletions

View File

@ -11,6 +11,7 @@ let
./exim-smarthost.nix ./exim-smarthost.nix
./github-hosts-sync.nix ./github-hosts-sync.nix
./git.nix ./git.nix
./iptables.nix
./nginx.nix ./nginx.nix
./Reaktor.nix ./Reaktor.nix
./retiolum.nix ./retiolum.nix

View File

@ -3,6 +3,10 @@ arg@{ config, lib, pkgs, ... }:
let let
inherit (pkgs) writeScript writeText; inherit (pkgs) writeScript writeText;
inherit (builtins)
elem
;
inherit (lib) inherit (lib)
concatMapStringsSep concatMapStringsSep
concatStringsSep concatStringsSep
@ -20,15 +24,13 @@ let
mkOption mkOption
mkIf mkIf
types types
sort; sort
;
elemIsIn = a: as: cfg = config.krebs.iptables;
any (x: x == a) as;
cfg = config.lass.iptables;
out = { out = {
options.lass.iptables = api; options.krebs.iptables = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
}; };
@ -74,8 +76,8 @@ let
imp = { imp = {
networking.firewall.enable = false; networking.firewall.enable = false;
systemd.services.lass-iptables = { systemd.services.krebs-iptables = {
description = "lass-iptables"; description = "krebs-iptables";
wantedBy = [ "network-pre.target" ]; wantedBy = [ "network-pre.target" ];
before = [ "network-pre.target" ]; before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ]; after = [ "systemd-modules-load.service" ];
@ -90,7 +92,7 @@ let
Type = "simple"; Type = "simple";
RemainAfterExit = true; RemainAfterExit = true;
Restart = "always"; Restart = "always";
ExecStart = "@${startScript} lass-iptables_start"; ExecStart = "@${startScript} krebs-iptables_start";
}; };
}; };
}; };
@ -110,13 +112,10 @@ let
in in
#TODO: double check should be unneccessary, refactor! #TODO: double check should be unneccessary, refactor!
if (hasAttr "rules" ts."${tn}"."${cn}") then if ts.${tn}.${cn}.rules or null != null then
if (ts."${tn}"."${cn}".rules == null) then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
"" ++ map (buildRule tn cn) sortedRules
else )
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map (buildRule tn cn) sortedRules
)
else else
"" ""
; ;
@ -124,7 +123,7 @@ let
buildRule = tn: cn: rule: buildRule = tn: cn: rule:
#target validation test: #target validation test:
assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
#predicate validation test: #predicate validation test:
#maybe use iptables-test #maybe use iptables-test
@ -171,11 +170,11 @@ let
tables = tables-defaults // cfg.tables; tables = tables-defaults // cfg.tables;
in in
writeText "lass-iptables-rules${toString iptables-version}" '' writeText "krebs-iptables-rules${toString iptables-version}" ''
${buildTables iptables-version tables} ${buildTables iptables-version tables}
''; '';
startScript = writeScript "lass-iptables_start" '' startScript = writeScript "krebs-iptables_start" ''
#! /bin/sh #! /bin/sh
set -euf set -euf
iptables-restore < ${rules4 4} iptables-restore < ${rules4 4}