diff options
| author | Mark Nipper <nipsy@bitgnome.net> | 2024-06-12 01:30:57 -0700 |
|---|---|---|
| committer | Mark Nipper <nipsy@bitgnome.net> | 2024-06-12 01:30:57 -0700 |
| commit | 5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4 (patch) | |
| tree | 1eca87595c1e1b760415d107f8b9dbeec651f259 /hosts/darkstar | |
| parent | d34e5a08e3fdc5f2247a41c42ed7c30988f2b89c (diff) | |
| download | nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar.gz nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar.bz2 nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar.lz nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar.xz nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.tar.zst nix-5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4.zip | |
Fix extra nftables rules
Diffstat (limited to 'hosts/darkstar')
| -rw-r--r-- | hosts/darkstar/default.nix | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 1299eae..2aa6480 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -59,12 +59,7 @@ # externalInterface = "vlan201"; # internalInterfaces = [ "enp116s0" ]; #}; - nftables = { - enable = true; - preCheckRuleset = '' - ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - }; + nftables.enable = true; #useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; @@ -93,4 +88,27 @@ }; system.stateVersion = "23.11"; + + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + enable = true; + script = '' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + ExecStart = + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + }; + }; + systemd.paths."nftables-ssh" = { + enable = true; + pathConfig = { + PathExists = config.sops.secrets."nftables/ssh".path; + Unit = "nftables-extra.service"; + }; + }; } |