nixfmt-rfc-style

There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging
2025-02-10 21:55:08 +00:00
parent 13cc5a8992
commit 7e2b0068e6
211 changed files with 6049 additions and 4355 deletions
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@@ -1,9 +1,10 @@
 let
-  drop = expr : "${expr} drop";
-  accept = expr : "${expr} accept";
+  drop = expr: "${expr} drop";
+  accept = expr: "${expr} accept";
  mcast-scope = 8;
  allow-incoming = false;
-in {
+in
+{
  bogons-ip6 = {
    type = "filter";
    family = "ip6";
@@ -44,7 +45,7 @@ in {
    rules = [
      (drop "ip6 saddr ::1/128") # loopback address [RFC4291]
      (drop "ip6 daddr ::1/128")
-      (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
+      (drop "ip6 saddr ::FFFF:0:0/96") # IPv4-mapped addresses
      (drop "ip6 daddr ::FFFF:0:0/96")
      (drop "ip6 saddr fe80::/10") # link-local unicast
      (drop "ip6 daddr fe80::/10")
@@ -60,7 +61,8 @@ in {
      (drop
        # dest addr first byte 0xff, low nibble of second byte <= scope
        # https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
-        "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
+        "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}"
+      )

      (accept "oifname @lan iifname @wan meta l4proto udp ct state established,related")
      (accept "iifname @lan oifname @wan meta l4proto udp")
@@ -72,7 +74,7 @@ in {
      # does this ever get used or does the preceding general udp accept
      # already grab anything that might get here?
      (accept "oifname @wan udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
-      (accept "ip6 nexthdr 139") #  Host Identity Protocol
+      (accept "ip6 nexthdr 139") # Host Identity Protocol

      ## FIXME no support yet for recs 27-30 Mobility Header

@@ -88,9 +90,11 @@ in {
      # we can allow all reasonable inbound, or we can use an explicit
      # allowlist to enumerate the endpoints that are allowed to
      # accept inbound from the WAN
-      (if allow-incoming
-       then accept "oifname @lan iifname @wan"
-       else "iifname @wan jump incoming-allowed-ip6"
+      (
+        if allow-incoming then
+          accept "oifname @lan iifname @wan"
+        else
+          "iifname @wan jump incoming-allowed-ip6"
      )
      # allow all outbound and any inbound that's part of a
      # recognised (outbound-initiated) flow
@@ -130,10 +134,7 @@ in {
      (accept "meta l4proto icmpv6")
      "iifname @lan jump input-ip6-lan"
      "iifname @wan jump input-ip6-wan"
-      (if allow-incoming
-       then accept "iifname @wan"
-       else "iifname @wan jump incoming-allowed-ip6"
-      )
+      (if allow-incoming then accept "iifname @wan" else "iifname @wan jump incoming-allowed-ip6")
      # how does this even make sense in an input chain?
      (accept "iifname @wan  ct state established,related")
      (accept "iifname @lan ")
@@ -185,9 +186,9 @@ in {
    family = "ip";

    rules = [
-      (accept "udp dport 67")   # dhcp
-      (accept "udp dport 53")   # dns
-      (accept "tcp dport 22")   # ssh
+      (accept "udp dport 67") # dhcp
+      (accept "udp dport 53") # dns
+      (accept "tcp dport 22") # ssh
    ];
  };

--- a/modules/firewall/default.nix
+++ b/modules/firewall/default.nix
@@ -4,7 +4,12 @@
 ## Provides a service to create an nftables ruleset based on
 ## configuration supplied to it.

-{ lib, pkgs, config, ...}:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
@@ -54,37 +59,44 @@ in
  };
  config = {
    system.service.firewall =
-      let svc = config.system.callService ./service.nix  {
-            extraRules = mkOption {
-              type = types.attrsOf types.attrs;
-              description = "firewall ruleset";
-              default = {};
-            };
-            zones = mkOption {
-              type = types.attrsOf (types.listOf  liminix.lib.types.service);
-              default = {};
-              example = lib.literalExpression ''
-                {
-                  lan = with config.hardware.networkInterfaces; [ int ];
-                  wan = [ config.services.ppp0 ];
-                }
-              '';
-            };
-            rules = mkOption {
-              type = types.attrsOf types.attrs;   # we could usefully tighten this a bit :-)
-              default = import ./default-rules.nix;
-              description = "firewall ruleset";
-            };
+      let
+        svc = config.system.callService ./service.nix {
+          extraRules = mkOption {
+            type = types.attrsOf types.attrs;
+            description = "firewall ruleset";
+            default = { };
          };
-      in svc // {
-        build = args :
-          let args' = args // {
-                dependencies = (args.dependencies or []) ++ [kmodules];
-              };
-          in svc.build args' ;
+          zones = mkOption {
+            type = types.attrsOf (types.listOf liminix.lib.types.service);
+            default = { };
+            example = lib.literalExpression ''
+              {
+                lan = with config.hardware.networkInterfaces; [ int ];
+                wan = [ config.services.ppp0 ];
+              }
+            '';
+          };
+          rules = mkOption {
+            type = types.attrsOf types.attrs; # we could usefully tighten this a bit :-)
+            default = import ./default-rules.nix;
+            description = "firewall ruleset";
+          };
+        };
+      in
+      svc
+      // {
+        build =
+          args:
+          let
+            args' = args // {
+              dependencies = (args.dependencies or [ ]) ++ [ kmodules ];
+            };
+          in
+          svc.build args';
      };
    programs.busybox.applets = [
-      "insmod" "rmmod"
+      "insmod"
+      "rmmod"
    ];
    kernel.config = {
      NETFILTER = "y";
@@ -94,7 +106,7 @@ in

      NETLINK_DIAG = "y";

-      IP6_NF_IPTABLES=  "m";
+      IP6_NF_IPTABLES = "m";
      IP_NF_IPTABLES = "m";
      IP_NF_NAT = "m";
      IP_NF_TARGET_MASQUERADE = "m";
--- a/modules/firewall/service.nix
+++ b/modules/firewall/service.nix
@@ -1,37 +1,44 @@
 {
-  liminix
-, lib
-, firewallgen
-, nftables
-, writeFennel
-, anoia
-, lualinux
-, linotify
+  liminix,
+  lib,
+  firewallgen,
+  nftables,
+  writeFennel,
+  anoia,
+  lualinux,
+  linotify,
+}:
+{
+  rules,
+  extraRules,
+  zones,
 }:
-{ rules, extraRules, zones }:
 let
  inherit (liminix.services) longrun;
  inherit (lib.attrsets) mapAttrs' nameValuePair mapAttrsToList;
  inherit (lib.strings) concatStringsSep;
  inherit (lib.lists) flatten;
-  mkSet = family : name :
-    nameValuePair
-      "${name}-set-${family}"
-      {
-        kind = "set";
-        inherit name family;
-        type = "ifname";
-      };
-  sets = (mapAttrs' (n : _ : mkSet "ip" n) zones) //
-         (mapAttrs' (n : _ : mkSet "ip6" n) zones);
+  mkSet =
+    family: name:
+    nameValuePair "${name}-set-${family}" {
+      kind = "set";
+      inherit name family;
+      type = "ifname";
+    };
+  sets = (mapAttrs' (n: _: mkSet "ip" n) zones) // (mapAttrs' (n: _: mkSet "ip6" n) zones);
  allRules = lib.recursiveUpdate extraRules (lib.recursiveUpdate (builtins.trace sets sets) rules);
  script = firewallgen "firewall1.nft" allRules;
  ifwatch = writeFennel "ifwatch" {
-    packages = [anoia lualinux linotify];
+    packages = [
+      anoia
+      lualinux
+      linotify
+    ];
    mainFunction = "run";
-  } ./ifwatch.fnl ;
-  watchArg = z : intfs : map (i: "${z}:${i}/.outputs") intfs;
-in longrun {
+  } ./ifwatch.fnl;
+  watchArg = z: intfs: map (i: "${z}:${i}/.outputs") intfs;
+in
+longrun {
  name = "firewall";
  run = ''
    ${script}