From c9ecee17d441d0b06a6d5069c4973868a40d6402 Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Mon, 14 Oct 2024 22:22:34 -0700 Subject: Handle nftables reload better --- hosts/arrakis/default.nix | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index dae348c..1bb0c32 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -258,9 +258,7 @@ wantedBy = [ "multi-user.target" ]; }; - "nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + "nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' @@ -273,20 +271,23 @@ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = [ - config.sops.secrets."nftables/ssh".path - ]; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/ssh".path + ]; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; "prowlarr" = { -- cgit v1.2.3