From afa9823c9a038d434a0bad1b3f5208b49bd2614c Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Mon, 14 Oct 2024 22:30:38 -0700 Subject: Handle nftables reload better --- hosts/ginaz/default.nix | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) (limited to 'hosts/ginaz') diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index cac2a8d..f35e36b 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -58,23 +58,25 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = config.sops.secrets."nftables/ssh".path; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; + systemd.paths."nftables-extra" = { pathConfig = { PathExists = config.sops.secrets."nftables/ssh".path; -- cgit v1.2.3