diff options
author | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 22:30:38 -0700 |
---|---|---|
committer | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 22:30:38 -0700 |
commit | afa9823c9a038d434a0bad1b3f5208b49bd2614c (patch) | |
tree | 11388d8a16a8bdc27cc87380f0d11e5e3d31d2f6 /hosts | |
parent | c9ecee17d441d0b06a6d5069c4973868a40d6402 (diff) | |
download | nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar.gz nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar.bz2 nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar.lz nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar.xz nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.tar.zst nix-afa9823c9a038d434a0bad1b3f5208b49bd2614c.zip |
Handle nftables reload better
Diffstat (limited to '')
-rw-r--r-- | hosts/darkstar/default.nix | 38 | ||||
-rw-r--r-- | hosts/ginaz/default.nix | 32 |
2 files changed, 37 insertions, 33 deletions
diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 0368377..7eb3c62 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -102,9 +102,7 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ''${handle}; done if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi @@ -114,22 +112,26 @@ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo accept' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = [ - config.sops.secrets."nftables/forward".path - config.sops.secrets."nftables/ssh".path - ]; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; + systemd.paths."nftables-extra" = { pathConfig = { PathExists = [ diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index cac2a8d..f35e36b 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -58,23 +58,25 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = config.sops.secrets."nftables/ssh".path; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; + systemd.paths."nftables-extra" = { pathConfig = { PathExists = config.sops.secrets."nftables/ssh".path; |