diff options
| author | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 22:22:34 -0700 |
|---|---|---|
| committer | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 22:22:34 -0700 |
| commit | c9ecee17d441d0b06a6d5069c4973868a40d6402 (patch) | |
| tree | 081d1166b3704ec62a74f598d3b89b9e34996175 /hosts/arrakis/default.nix | |
| parent | b68b70354d419cfc86a70cd9366c419ad510f057 (diff) | |
| download | nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar.gz nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar.bz2 nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar.lz nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar.xz nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.tar.zst nix-c9ecee17d441d0b06a6d5069c4973868a40d6402.zip | |
Handle nftables reload better
Diffstat (limited to 'hosts/arrakis/default.nix')
| -rw-r--r-- | hosts/arrakis/default.nix | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index dae348c..1bb0c32 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -258,9 +258,7 @@ wantedBy = [ "multi-user.target" ]; }; - "nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + "nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' @@ -273,20 +271,23 @@ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = [ - config.sops.secrets."nftables/ssh".path - ]; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/ssh".path + ]; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; "prowlarr" = { |