9 cfg = config.services.shorewall;
13 services.shorewall = {
14 enable = lib.mkOption {
18 Whether to enable Shorewall IPv4 Firewall.
21 Enabling this service WILL disable the existing NixOS
22 firewall! Default firewall rules provided by packages are not
23 considered at the moment.
27 package = lib.mkOption {
29 default = pkgs.shorewall;
30 defaultText = lib.literalExpression "pkgs.shorewall";
31 description = "The shorewall package to use.";
33 configs = lib.mkOption {
34 type = types.attrsOf types.lines;
37 This option defines the Shorewall configs.
38 The attribute name defines the name of the config,
39 and the attribute value defines the content of the config.
41 apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text);
46 config = lib.mkIf cfg.enable {
47 systemd.services.firewall.enable = false;
48 systemd.services.shorewall = {
49 description = "Shorewall IPv4 Firewall";
50 after = [ "ipset.target" ];
51 before = [ "network-pre.target" ];
52 wants = [ "network-pre.target" ];
53 wantedBy = [ "multi-user.target" ];
54 reloadIfChanged = true;
55 restartTriggers = lib.attrValues cfg.configs;
58 RemainAfterExit = "yes";
59 ExecStart = "${cfg.package}/bin/shorewall start";
60 ExecReload = "${cfg.package}/bin/shorewall reload";
61 ExecStop = "${cfg.package}/bin/shorewall stop";
64 install -D -d -m 750 /var/lib/shorewall
65 install -D -d -m 755 /var/lock/subsys
66 touch /var/log/shorewall.log
67 chmod 750 /var/log/shorewall.log
72 name: conf: lib.nameValuePair "shorewall/${name}" { source = conf; }
74 systemPackages = [ cfg.package ];