nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-24 05:44:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/keepalived: add openFirewall option

Browse Source 
Allow VRRP and AH (authentication packets) through the firewall
automatically if the option is set.
This commit is contained in:
Nuno Alves 2023-11-27 19:00:14 +00:00
parent 679cb8ff4d
commit 24d9151d15
No known key found for this signature in database
GPG Key ID: F214F1C2CAD671BF
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixos/modules/services/networking/keepalived/default.nix
View File

@ -150,6 +150,14 @@ in
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to automatically allow VRRP and AH packets in the firewall.
'';
};
enableScriptSecurity = mkOption {
type = types.bool;
default = false;
@ -282,6 +290,19 @@ in
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
networking.firewall = lib.mkIf cfg.openFirewall {
extraCommands = ''
# Allow VRRP and AH packets
ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
'';
extraStopCommands = ''
ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
'';
};
systemd.timers.keepalived-boot-delay = {
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
after = [ "network.target" "network-online.target" "syslog.target" ];