diff --git a/applications/firewall.nix b/applications/firewall.nix index 3bfdc63..45a2bde 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -16,14 +16,6 @@ A list of routes to forward ''; }; - # need to seperate it out as to not cause infinite loops - forward_parsed = lib.mkOption { - default = ""; - type = lib.types.str; - description = '' - A list of routes to forward joined as a single string - ''; - }; }; }; @@ -77,7 +69,7 @@ # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept # can basically make each machiene responsibile for their own forwarding (in config at least) - ${config.skynet_firewall.forward_parsed} + ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward} counter packets 0 bytes 0 reject with icmp type admin-prohibited } diff --git a/machines/test01.nix b/machines/test01.nix index 72ec209..179e441 100644 --- a/machines/test01.nix +++ b/machines/test01.nix @@ -15,15 +15,16 @@ enable = true; # gonna have to get all the - forward_parsed = - # merge together with a newline char - lib.strings.concatMapStrings (x: x + "\n") ( - # merge the lists together - builtins.concatLists ( - # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list - lib.attrsets.mapAttrsToList (key: value: value.config.skynet_firewall.forward) nodes - ) - ); + forward = builtins.concatLists ( + # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list + lib.attrsets.mapAttrsToList (key: value: + # make sure that anything running this firewall dosent count (recursion otherewise) + # firewall may want to open ports in itself but can deal with that later + if value.config.skynet_firewall.enable + then [] + else value.config.skynet_firewall.forward + ) nodes + ); }; }