move iptables.nix to krebs

2015-10-01 22:10:21 +02:00 · 2015-10-01 22:10:21 +02:00 · 1078d1a8a3
parent e8a17e7e9c
commit 1078d1a8a3
2 changed files with 19 additions and 19 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -11,6 +11,7 @@ let
      ./exim-smarthost.nix
      ./github-hosts-sync.nix
      ./git.nix
+      ./iptables.nix
      ./nginx.nix
      ./Reaktor.nix
      ./retiolum.nix
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@ -3,6 +3,10 @@ arg@{ config, lib, pkgs, ... }:
 let
  inherit (pkgs) writeScript writeText;

+  inherit (builtins)
+    elem
+  ;
+
  inherit (lib)
    concatMapStringsSep
    concatStringsSep
@ -20,15 +24,13 @@ let
    mkOption
    mkIf
    types
-    sort;
+    sort
+  ;

-  elemIsIn = a: as:
-    any (x: x == a) as;
-
-  cfg = config.lass.iptables;
+  cfg = config.krebs.iptables;

  out = {
-    options.lass.iptables = api;
+    options.krebs.iptables = api;
    config = mkIf cfg.enable imp;
  };

@ -74,8 +76,8 @@ let
  imp = {
    networking.firewall.enable = false;

-    systemd.services.lass-iptables = {
-      description = "lass-iptables";
+    systemd.services.krebs-iptables = {
+      description = "krebs-iptables";
      wantedBy = [ "network-pre.target" ];
      before = [ "network-pre.target" ];
      after = [ "systemd-modules-load.service" ];
@ -90,7 +92,7 @@ let
        Type = "simple";
        RemainAfterExit = true;
        Restart = "always";
-        ExecStart = "@${startScript} lass-iptables_start";
+        ExecStart = "@${startScript} krebs-iptables_start";
      };
    };
  };
@ -110,13 +112,10 @@ let

        in
          #TODO: double check should be unneccessary, refactor!
-          if (hasAttr "rules" ts."${tn}"."${cn}") then
-            if (ts."${tn}"."${cn}".rules == null) then
-              ""
-            else
-              concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
-                ++ map (buildRule tn cn) sortedRules
-              )
+          if ts.${tn}.${cn}.rules or null != null then
+            concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+              ++ map (buildRule tn cn) sortedRules
+            )
          else
            ""
          ;
@ -124,7 +123,7 @@ let

      buildRule = tn: cn: rule:
        #target validation test:
-        assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
+        assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));

        #predicate validation test:
        #maybe use iptables-test
@ -171,11 +170,11 @@ let
      tables = tables-defaults // cfg.tables;

    in
-      writeText "lass-iptables-rules${toString iptables-version}" ''
+      writeText "krebs-iptables-rules${toString iptables-version}" ''
        ${buildTables iptables-version tables}
      '';

-  startScript = writeScript "lass-iptables_start" ''
+  startScript = writeScript "krebs-iptables_start" ''
    #! /bin/sh
    set -euf
    iptables-restore < ${rules4 4}