From 5348c6a4e550dd5c67b86ffb4d4d08343e1fcac4 Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Wed, 12 Jun 2024 01:30:57 -0700 Subject: Fix extra nftables rules --- hosts/darkstar/default.nix | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'hosts') diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 1299eae..2aa6480 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -59,12 +59,7 @@ # externalInterface = "vlan201"; # internalInterfaces = [ "enp116s0" ]; #}; - nftables = { - enable = true; - preCheckRuleset = '' - ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - }; + nftables.enable = true; #useDHCP = false; vlans = { vlan201 = { id=201; interface="enp117s0"; }; @@ -93,4 +88,27 @@ }; system.stateVersion = "23.11"; + + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + enable = true; + script = '' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + ExecStart = + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + }; + }; + systemd.paths."nftables-ssh" = { + enable = true; + pathConfig = { + PathExists = config.sops.secrets."nftables/ssh".path; + Unit = "nftables-extra.service"; + }; + }; } -- cgit v1.2.3