tmnp: save current state

2023-01-15 15:10:40 +00:00 · 2023-01-15 15:10:40 +00:00 · 53aff5987f
commit 53aff5987f
parent c819214902
4 changed files with 50 additions and 9 deletions
--- a/applications/firewall.nix
+++ b/applications/firewall.nix
@ -1,17 +1,25 @@
-{lib, config, ...}:{
+{lib, pkgs, config, ...}: {

  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
  options = {
-    firewall_forward = lib.mkOption {
-      default = [ ];
-      type = lib.types.listOf lib.types.str;
-      description = ''
-        A list of routes to forward
-      '';
+    skynet_firewall = {
+      enable = lib.mkEnableOption {
+        default = false;
+        example = true;
+        description = "Skynet Firewall";
+        type = lib.types.bool;
+      };
+      forward = lib.mkOption {
+        default = [ ];
+        type = lib.types.listOf lib.types.str;
+        description = ''
+          A list of routes to forward
+        '';
+      };
    };
  };

-  config = {
+  config = lib.mkIf config.skynet_firewall.enable {
    # disable default firewall to enable nftables
    networking.firewall.enable = false;
    networking.nftables.enable = true;
@ -61,7 +69,7 @@
          # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept

          # can basically make each machiene responsibile for their own forwarding (in config at least)
-          ${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward}
+          ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}

          counter packets 0 bytes 0 reject with icmp type admin-prohibited
        }