Unverified Commit e686847d authored by jerrita's avatar jerrita
Browse files

nixos/nftables: add option for flattening rulesetFile 



Co-authored-by: default avatarLin Jian <me@linj.tech>
parent 758e589e

nixos/modules/services/networking/nftables.nix

+20 −3
Original line number Diff line number Diff line
@@ -185,6 +185,19 @@ in 
          can be loaded using "nft -f".  The ruleset is updated atomically.

        '';

    };



    networking.nftables.flattenRulesetFile = mkOption {

      type = types.bool;

      default = false;

      description = lib.mdDoc ''

        Use `builtins.readFile` rather than `include` to handle {option}`networking.nftables.rulesetFile`. It is useful when you want to apply {option}`networking.nftables.preCheckRuleset` to {option}`networking.nftables.rulesetFile`.



        ::: {.note}

        It is expected that {option}`networking.nftables.rulesetFile` can be accessed from the build sandbox.

        :::

      '';

    };



    networking.nftables.tables = mkOption {

      type = types.attrsOf (types.submodule tableSubmodule);
@@ -293,9 +306,13 @@ in 
              }

            '') enabledTables)}

            ${cfg.ruleset}

            ${lib.optionalString (cfg.rulesetFile != null) ''

            ${if cfg.rulesetFile != null then

              if cfg.flattenRulesetFile then

                builtins.readFile cfg.rulesetFile

                else ''

                  include "${cfg.rulesetFile}"

            ''}

                ''

              else ""}

          '';

          checkPhase = lib.optionalString cfg.checkRuleset ''

            cp $out ruleset.conf