commit
						8d10928ad0
					
				| @ -249,6 +249,7 @@ | ||||
|   mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>"; | ||||
|   meditans = "Carlo Nucera <meditans@gmail.com>"; | ||||
|   meisternu = "Matt Miemiec <meister@krutt.org>"; | ||||
|   mic92 = "Jörg Thalheim <joerg@higgsboson.tk>"; | ||||
|   michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>"; | ||||
|   michalrus = "Michal Rus <m@michalrus.com>"; | ||||
|   michelk = "Michel Kuhlmann <michel@kuhlmanns.info>"; | ||||
|  | ||||
| @ -335,6 +335,7 @@ | ||||
|   ./services/networking/docker-registry-server.nix | ||||
|   ./services/networking/ejabberd.nix | ||||
|   ./services/networking/fan.nix | ||||
|   ./services/networking/ferm.nix | ||||
|   ./services/networking/firefox/sync-server.nix | ||||
|   ./services/networking/firewall.nix | ||||
|   ./services/networking/flashpolicyd.nix | ||||
|  | ||||
							
								
								
									
										63
									
								
								nixos/modules/services/networking/ferm.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								nixos/modules/services/networking/ferm.nix
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,63 @@ | ||||
| { config, lib, pkgs, ... }: | ||||
| 
 | ||||
| with lib; | ||||
| 
 | ||||
| let | ||||
|   cfg = config.services.ferm; | ||||
| 
 | ||||
|   configFile = pkgs.stdenv.mkDerivation { | ||||
|     name = "ferm.conf"; | ||||
|     text = cfg.config; | ||||
|     preferLocalBuild = true; | ||||
|     buildCommand = '' | ||||
|       echo -n "$text" > $out | ||||
|       ${cfg.package}/bin/ferm --noexec $out | ||||
|     ''; | ||||
|   }; | ||||
| in { | ||||
|   options = { | ||||
|     services.ferm = { | ||||
|       enable = mkOption { | ||||
|         default = false; | ||||
|         example = true; | ||||
|         type = types.bool; | ||||
|         description = '' | ||||
|           Whether to enable Ferm Firewall. | ||||
|           *Warning*: Enabling this service WILL disable the existing NixOS | ||||
|           firewall! Default firewall rules provided by packages are not | ||||
|           considered at the moment. | ||||
|         ''; | ||||
|       }; | ||||
|       config = mkOption { | ||||
|         description = "Verbatim ferm.conf configuration."; | ||||
|         default = ""; | ||||
|         defaultText = "empty firewall, allows any traffic"; | ||||
|         type = types.lines; | ||||
|       }; | ||||
|       package = mkOption { | ||||
|         description = "The ferm package."; | ||||
|         type = types.package; | ||||
|         default = pkgs.ferm; | ||||
|         defaultText = "pkgs.ferm"; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   config = mkIf cfg.enable { | ||||
|     systemd.services.firewall.enable = false; | ||||
|     systemd.services.ferm = { | ||||
|       description = "Ferm Firewall"; | ||||
|       after = [ "ipset.target" ]; | ||||
|       before = [ "network-pre.target" ]; | ||||
|       wants = [ "network-pre.target" ]; | ||||
|       wantedBy = [ "multi-user.target" ]; | ||||
|       serviceConfig = { | ||||
|         Type="oneshot"; | ||||
|         RemainAfterExit = "yes"; | ||||
|         ExecStart = "${cfg.package}/bin/ferm ${configFile}"; | ||||
|         ExecReload = "${cfg.package}/bin/ferm ${configFile}"; | ||||
|         ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										38
									
								
								pkgs/tools/networking/ferm/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								pkgs/tools/networking/ferm/default.nix
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,38 @@ | ||||
| { stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }: | ||||
| 
 | ||||
| stdenv.mkDerivation rec { | ||||
|   version = "2.3"; | ||||
|   name = "ferm-${version}"; | ||||
| 
 | ||||
|   src = fetchurl { | ||||
|     url = "http://ferm.foo-projects.org/download/${version}/ferm-${version}.tar.gz"; | ||||
|     sha256 = "0jx63fhjw5y1ahgdbn4hgd7sq6clxl80dr8a2hkryibfbwz3vs4x"; | ||||
|   }; | ||||
| 
 | ||||
|   buildInputs = [ perl ipset ebtables iptables makeWrapper ]; | ||||
|   preConfigure = '' | ||||
|     substituteInPlace config.mk --replace "PERL = /usr/bin/perl" "PERL = ${perl}/bin/perl" | ||||
|     substituteInPlace config.mk --replace "PREFIX = /usr" "PREFIX = $out" | ||||
|   ''; | ||||
|   postInstall = '' | ||||
|     rm -r $out/lib/systemd | ||||
|     for i in "$out/sbin/"*; do | ||||
|       wrapProgram "$i" --prefix PATH : "${iptables}/bin:${ipset}/bin:${ebtables}/bin" | ||||
|     done | ||||
|   ''; | ||||
| 
 | ||||
|   meta = { | ||||
|     homepage = http://ferm.foo-projects.org/; | ||||
|     description = "Tool to maintain complex firewalls"; | ||||
|     longDescription = '' | ||||
|       ferm is a tool to maintain complex firewalls, without having the trouble to | ||||
|       rewrite the complex rules over and over again. ferm allows the entire | ||||
|       firewall rule set to be stored in a separate file, and to be loaded with one | ||||
|       command. The firewall configuration resembles structured programming-like | ||||
|       language, which can contain levels and lists. | ||||
|     ''; | ||||
|     license = stdenv.lib.licenses.gpl2; | ||||
|     maintainers = with stdenv.lib.maintainers; [mic92]; | ||||
|     platforms = stdenv.lib.platforms.linux; | ||||
|   }; | ||||
| } | ||||
| @ -1556,6 +1556,8 @@ in | ||||
| 
 | ||||
|   fdm = callPackage ../tools/networking/fdm {}; | ||||
| 
 | ||||
|   ferm = callPackage ../tools/networking/ferm { }; | ||||
| 
 | ||||
|   fgallery = callPackage ../tools/graphics/fgallery { | ||||
|     inherit (perlPackages) ImageExifTool JSON; | ||||
|   }; | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Graham Christensen
						Graham Christensen