feat: can let each machiene add teh forwards it needs
This commit is contained in:
parent
a07bc6774c
commit
c819214902
1 changed files with 73 additions and 55 deletions
|
|
@ -1,5 +1,18 @@
|
|||
{
|
||||
{lib, config, ...}:{
|
||||
|
||||
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
|
||||
options = {
|
||||
firewall_forward = lib.mkOption {
|
||||
default = [ ];
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = ''
|
||||
A list of routes to forward
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# disable default firewall to enable nftables
|
||||
networking.firewall.enable = false;
|
||||
networking.nftables.enable = true;
|
||||
|
||||
|
|
@ -47,6 +60,9 @@
|
|||
# accept these ip/ports
|
||||
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
|
||||
|
||||
# can basically make each machiene responsibile for their own forwarding (in config at least)
|
||||
${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward}
|
||||
|
||||
counter packets 0 bytes 0 reject with icmp type admin-prohibited
|
||||
}
|
||||
|
||||
|
|
@ -69,5 +85,7 @@
|
|||
}
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue