diff options
Diffstat (limited to '')
-rw-r--r-- | hosts/darkstar/default.nix | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 1299eae..2aa6480 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -59,12 +59,7 @@ # externalInterface = "vlan201"; # internalInterfaces = [ "enp116s0" ]; #}; - nftables = { - enable = true; - preCheckRuleset = '' - ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - }; + nftables.enable = true; #useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; @@ -93,4 +88,27 @@ }; system.stateVersion = "23.11"; + + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + enable = true; + script = '' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + ExecStart = + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + }; + }; + systemd.paths."nftables-ssh" = { + enable = true; + pathConfig = { + PathExists = config.sops.secrets."nftables/ssh".path; + Unit = "nftables-extra.service"; + }; + }; } |