Skip to content

Commit

Permalink
nixos/opengfw: add rules.*.log option
Browse files Browse the repository at this point in the history 
https://github.com/apernet/OpenGFW/releases/tag/v0.2.1
  • Loading branch information
@eum3l
eum3l committed Feb 24, 2024
1 parent 593d434 commit cb0e29f
Showing 1 changed file with 57 additions and 49 deletions.
106 changes: 57 additions & 49 deletions nixos/modules/services/networking/opengfw.nix
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,22 @@
{ lib
, pkgs
, config
, ...
}:
let
inherit (lib) mkOption types mkIf mdDoc;
{
lib,
pkgs,
config,
...
}: let
inherit (lib) mkOption types mkIf mdDoc optionalString;
cfg = config.services.opengfw;
format = pkgs.formats.yaml { };
format = pkgs.formats.yaml {};

settings =
if cfg.settings != { }
then format.generate "OpenGFW-Config.yaml" cfg.settings
if cfg.settings != {}
then format.generate "opengfw-config.yaml" cfg.settings
else cfg.settingsFile;
rules =
if cfg.rules != [ ]
then format.generate "OpenGFW-Rules.yaml" cfg.rules
if cfg.rules != []
then format.generate "opengfw-rules.yaml" cfg.rules
else cfg.rulesFile;
in
{
in {
options.services.opengfw = {
enable = lib.mkEnableOption (mdDoc "A flexible, easy-to-use, open source implementation of GFW on Linux.");

Expand All @@ -41,6 +40,15 @@ in
'';
};

logDir = mkOption {
default = null;
type = types.nullOr types.singleLineStr;
example = "/home/user/opengfw.log";
description = mdDoc ''
File to write the output to instead of systemd.
'';
};

rulesFile = mkOption {
default = null;
type = types.nullOr types.path;
Expand All @@ -58,7 +66,7 @@ in
};

settings = mkOption {
default = { };
default = {};
type = types.attrs;
description = mdDoc ''
Settings passed to OpenGFW. [Example config](https://github.com/apernet/OpenGFW#example-config)
Expand All @@ -80,8 +88,10 @@ in
};

rules = mkOption {
default = [ ];
description = mdDoc "[Rules](https://github.com/apernet/OpenGFW?tab=readme-ov-file#example-rules) passed to OpenGFW.";
default = [];
description = mdDoc ''
Rules passed to OpenGFW. [Example rules](https://github.com/apernet/OpenGFW?tab=readme-ov-file#example-rules)
'';
type = types.listOf (
types.submodule {
options = {
Expand All @@ -93,7 +103,13 @@ in
action = mkOption {
description = mdDoc "Action of the rule. [Supported actions](https://github.com/apernet/OpenGFW?tab=readme-ov-file#supported-actions)";
default = "allow";
type = types.enum [ "allow" "block" "drop" "modify" ];
type = types.enum ["allow" "block" "drop" "modify"];
};

log = mkOption {
description = mdDoc "Wether to enable logging for the rule.";
default = true;
type = types.bool;
};

expr = mkOption {
Expand All @@ -103,17 +119,17 @@ in

modifier = mkOption {
default = null;
description = mdDoc "Modification of specified packet. [Available modifiers](https://github.com/apernet/OpenGFW/tree/master/modifier)";
description = mdDoc "Modification of specified packets when using the `modify` action. [Available modifiers](https://github.com/apernet/OpenGFW/tree/master/modifier)";
type = types.nullOr (
types.submodule {
options = {
name = mkOption {
description = mdDoc "Name of the modifier";
description = mdDoc "Name of the modifier.";
type = types.singleLineStr;
};

args = mkOption {
description = mdDoc "Arguments passed to the modifier";
description = mdDoc "Arguments passed to the modifier.";
type = types.attrs;
};
};
Expand Down Expand Up @@ -159,37 +175,29 @@ in
source = "${cfg.package}/bin/OpenGFW";
};

systemd = {
services.opengfw =
let
cu = "${pkgs.coreutils}/bin";
in
{
description = "A flexible, easy-to-use, open source implementation of GFW on Linux";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment.PATH = lib.mkForce "${cu}:${pkgs.iptables}/bin";
preStart = mkIf ((cfg.rules != [ ] && cfg.settings != { }) || (cfg.rulesFile != null && cfg.settingsFile != null)) ''
${cu}/ln -sf ${settings} config.yaml
${cu}/ln -sf ${rules} rules.yaml
'';

serviceConfig = {
WorkingDirectory = cfg.dir;
ExecStart = "${config.security.wrapperDir}/OpenGFW -c config.yaml rules.yaml";
ExecReload = "${cu}/kill -HUP $MAINPID";
Restart = "always";
User = cfg.user;
};
};
systemd.services.opengfw = {
description = "OpenGFW";
wantedBy = ["multi-user.target"];
after = ["network.target"];
path = with pkgs; [iptables];
preStart = ''
${optionalString (rules != null) "ln -sf ${rules} rules.yaml"}
${optionalString (settings != null) "ln -sf ${settings} config.yaml"}
'';

tmpfiles.rules = [
"d '${cfg.dir}' 0750 ${cfg.user} ${cfg.user} - -"
];
serviceConfig = rec {
WorkingDirectory = cfg.dir;
ExecStart = "${config.security.wrapperDir}/OpenGFW -c config.yaml rules.yaml";
ExecReload = "kill -HUP $MAINPID";
Restart = "always";
User = cfg.user;
StandardOutput = mkIf (cfg.logDir != null) "append:${cfg.logDir}";
StandardError = StandardOutput;
};
};

users = {
groups.${cfg.user} = { };
groups.${cfg.user} = {};
users.${cfg.user} = {
description = "opengfw user";
isNormalUser = true;
Expand All @@ -199,5 +207,5 @@ in
};
};

meta.maintainers = with lib.maintainers; [ eum3l ];
meta.maintainers = with lib.maintainers; [eum3l];
}

0 comments on commit cb0e29f

Please sign in to comment.