From afa9823c9a038d434a0bad1b3f5208b49bd2614c Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Mon, 14 Oct 2024 22:30:38 -0700 Subject: Handle nftables reload better --- hosts/darkstar/default.nix | 38 ++++++++++++++++++++------------------ hosts/ginaz/default.nix | 32 +++++++++++++++++--------------- 2 files changed, 37 insertions(+), 33 deletions(-) (limited to 'hosts') diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 0368377..7eb3c62 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -102,9 +102,7 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ''${handle}; done if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi @@ -114,22 +112,26 @@ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo accept' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = [ - config.sops.secrets."nftables/forward".path - config.sops.secrets."nftables/ssh".path - ]; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; + systemd.paths."nftables-extra" = { pathConfig = { PathExists = [ diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index cac2a8d..f35e36b 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -58,23 +58,25 @@ system.stateVersion = "23.11"; - systemd.services."nftables-extra" = { - description = "nftables extra firewall rules"; - script = '' + systemd.services."nftables-extra" = let rules_script = '' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ''; - serviceConfig = { - RemainAfterExit = true; - Type = "oneshot"; - }; - unitConfig = { - ConditionPathExists = config.sops.secrets."nftables/ssh".path; - ReloadPropagatedFrom = "nftables.service"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "nftables.service" ]; - partOf = [ "nftables.service" ]; + ''; in { + description = "nftables extra firewall rules"; + reload = rules_script; + script = rules_script; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + ReloadPropagatedFrom = "nftables.service"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; }; + systemd.paths."nftables-extra" = { pathConfig = { PathExists = config.sops.secrets."nftables/ssh".path; -- cgit v1.2.3