nixos/nftables: add option for flattening rulesetFile

Co-authored-by: Lin Jian <me@linj.tech>
2025-07-13 21:50:33 +03:00 · 2024-02-03 09:47:54 +08:00 · 2024-02-03 09:47:54 +08:00 · e686847d20
commit e686847d20
parent 758e589e5d
1 changed files with 20 additions and 3 deletions
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@ -185,6 +185,19 @@ in
          can be loaded using "nft -f".  The ruleset is updated atomically.
        '';
    };
+
+    networking.nftables.flattenRulesetFile = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Use `builtins.readFile` rather than `include` to handle {option}`networking.nftables.rulesetFile`. It is useful when you want to apply {option}`networking.nftables.preCheckRuleset` to {option}`networking.nftables.rulesetFile`.
+
+        ::: {.note}
+        It is expected that {option}`networking.nftables.rulesetFile` can be accessed from the build sandbox.
+        :::
+      '';
+    };
+
    networking.nftables.tables = mkOption {
      type = types.attrsOf (types.submodule tableSubmodule);

@ -293,9 +306,13 @@ in
              }
            '') enabledTables)}
            ${cfg.ruleset}
-            ${lib.optionalString (cfg.rulesetFile != null) ''
-              include "${cfg.rulesetFile}"
-            ''}
+            ${if cfg.rulesetFile != null then
+              if cfg.flattenRulesetFile then
+                builtins.readFile cfg.rulesetFile
+                else ''
+                  include "${cfg.rulesetFile}"
+                ''
+              else ""}
          '';
          checkPhase = lib.optionalString cfg.checkRuleset ''
            cp $out ruleset.conf