movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/nftables: add option for flattening rulesetFile

Browse source 
Co-authored-by: Lin Jian <me@linj.tech>
This commit is contained in:
jerrita 2024-02-03 09:47:54 +08:00
parent 758e589e5d
commit e686847d20
No known key found for this signature in database
GPG key ID: 1849997FACD8B4B6
1 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

23
nixos/modules/services/networking/nftables.nix
View file

@ -185,6 +185,19 @@ in
can be loaded using "nft -f". The ruleset is updated atomically. can be loaded using "nft -f". The ruleset is updated atomically.
''; '';
}; };
networking.nftables.flattenRulesetFile = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Use `builtins.readFile` rather than `include` to handle {option}`networking.nftables.rulesetFile`. It is useful when you want to apply {option}`networking.nftables.preCheckRuleset` to {option}`networking.nftables.rulesetFile`.
::: {.note}
It is expected that {option}`networking.nftables.rulesetFile` can be accessed from the build sandbox.
:::
'';
};
networking.nftables.tables = mkOption { networking.nftables.tables = mkOption {
type = types.attrsOf (types.submodule tableSubmodule); type = types.attrsOf (types.submodule tableSubmodule);
@ -293,9 +306,13 @@ in
} }
'') enabledTables)} '') enabledTables)}
${cfg.ruleset} ${cfg.ruleset}
${lib.optionalString (cfg.rulesetFile != null) '' ${if cfg.rulesetFile != null then
include "${cfg.rulesetFile}" if cfg.flattenRulesetFile then
''} builtins.readFile cfg.rulesetFile
else ''
include "${cfg.rulesetFile}"
''
else ""}
''; '';
checkPhase = lib.optionalString cfg.checkRuleset '' checkPhase = lib.optionalString cfg.checkRuleset ''
cp $out ruleset.conf cp $out ruleset.conf