parent
80036bcb1d
commit
7b354ce8cc
@ -0,0 +1,63 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.services.ferm; |
||||
|
||||
configFile = pkgs.stdenv.mkDerivation { |
||||
name = "ferm.conf"; |
||||
text = cfg.config; |
||||
preferLocalBuild = true; |
||||
buildCommand = '' |
||||
echo -n "$text" > $out |
||||
${cfg.package}/bin/ferm --noexec $out |
||||
''; |
||||
}; |
||||
in { |
||||
options = { |
||||
services.ferm = { |
||||
enable = mkOption { |
||||
default = false; |
||||
example = true; |
||||
type = types.bool; |
||||
description = '' |
||||
Whether to enable Ferm Firewall. |
||||
*Warning*: Enabling this service WILL disable the existing NixOS |
||||
firewall! Default firewall rules provided by packages are not |
||||
considered at the moment. |
||||
''; |
||||
}; |
||||
config = mkOption { |
||||
description = "Verbatim ferm.conf configuration."; |
||||
default = ""; |
||||
defaultText = "empty firewall, allows any traffic"; |
||||
type = types.lines; |
||||
}; |
||||
package = mkOption { |
||||
description = "The ferm package."; |
||||
type = types.package; |
||||
default = pkgs.ferm; |
||||
defaultText = "pkgs.ferm"; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
systemd.services.firewall.enable = false; |
||||
systemd.services.ferm = { |
||||
description = "Ferm Firewall"; |
||||
after = [ "ipset.target" ]; |
||||
before = [ "network-pre.target" ]; |
||||
wants = [ "network-pre.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
serviceConfig = { |
||||
Type="oneshot"; |
||||
RemainAfterExit = "yes"; |
||||
ExecStart = "${cfg.package}/bin/ferm ${configFile}"; |
||||
ExecReload = "${cfg.package}/bin/ferm ${configFile}"; |
||||
ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
@ -0,0 +1,38 @@ |
||||
{ stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }: |
||||
|
||||
stdenv.mkDerivation rec { |
||||
version = "2.3"; |
||||
name = "ferm-${version}"; |
||||
|
||||
src = fetchurl { |
||||
url = "http://ferm.foo-projects.org/download/${version}/ferm-${version}.tar.gz"; |
||||
sha256 = "0jx63fhjw5y1ahgdbn4hgd7sq6clxl80dr8a2hkryibfbwz3vs4x"; |
||||
}; |
||||
|
||||
buildInputs = [ perl ipset ebtables iptables makeWrapper ]; |
||||
preConfigure = '' |
||||
substituteInPlace config.mk --replace "PERL = /usr/bin/perl" "PERL = ${perl}/bin/perl" |
||||
substituteInPlace config.mk --replace "PREFIX = /usr" "PREFIX = $out" |
||||
''; |
||||
postInstall = '' |
||||
rm -r $out/lib/systemd |
||||
for i in "$out/sbin/"*; do |
||||
wrapProgram "$i" --prefix PATH : "${iptables}/bin:${ipset}/bin:${ebtables}/bin" |
||||
done |
||||
''; |
||||
|
||||
meta = { |
||||
homepage = http://ferm.foo-projects.org/; |
||||
description = "Tool to maintain complex firewalls"; |
||||
longDescription = '' |
||||
ferm is a tool to maintain complex firewalls, without having the trouble to |
||||
rewrite the complex rules over and over again. ferm allows the entire |
||||
firewall rule set to be stored in a separate file, and to be loaded with one |
||||
command. The firewall configuration resembles structured programming-like |
||||
language, which can contain levels and lists. |
||||
''; |
||||
license = stdenv.lib.licenses.gpl2; |
||||
maintainers = with stdenv.lib.maintainers; [mic92]; |
||||
platforms = stdenv.lib.platforms.linux; |
||||
}; |
||||
} |
Loading…
Reference in new issue