nixfmt-rfc-style

There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging
2025-02-10 21:55:08 +00:00
parent 13cc5a8992
commit 7e2b0068e6
211 changed files with 6049 additions and 4355 deletions
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@@ -1,79 +1,94 @@
 {
-  nftables
-, writeScript
-, lib
-} :
-name : ruleset :
+  nftables,
+  writeScript,
+  lib,
+}:
+name: ruleset:
 let
-  inherit (lib.strings) concatStringsSep splitString hasInfix substring;
+  inherit (lib.strings)
+    concatStringsSep
+    splitString
+    hasInfix
+    substring
+    ;
  inherit (lib.lists) groupBy;
  inherit (lib.attrsets) mapAttrsToList;
  inherit (builtins) map head tail;

-  indentLines = offset : lines :
-    if lines == []
-    then ""
+  indentLines =
+    offset: lines:
+    if lines == [ ] then
+      ""
    else
      let
        line = head lines;
        isOpen = hasInfix "{" line;
        isClose = hasInfix "}" line;
-        offset' = offset +
-                 (if isOpen then 4 else 0) +
-                 (if isClose then -4 else 0);
+        offset' = offset + (if isOpen then 4 else 0) + (if isClose then -4 else 0);
        padding = offset: substring 0 offset "                           ";
      in
-        if (isClose && !isOpen)
-        then
-          (padding offset') + line + "\n" + indentLines offset' (tail lines)
-        else
-          (padding offset) + line + "\n" + indentLines offset' (tail lines);
+      if (isClose && !isOpen) then
+        (padding offset') + line + "\n" + indentLines offset' (tail lines)
+      else
+        (padding offset) + line + "\n" + indentLines offset' (tail lines);

-  indent = text : indentLines 0 (splitString "\n" text);
+  indent = text: indentLines 0 (splitString "\n" text);

-  dochain = { name, type, family, rules,
-              policy ? null,
-              priority ? "filter",
-              hook ? null } : ''
-    chain ${name} {
-    ${if hook != null
-      then "type ${type} hook ${hook} priority ${priority}; policy ${policy};"
-    else ""
-    }
-    ${concatStringsSep "\n" rules}
-    }
-  '';
+  dochain =
+    {
+      name,
+      type,
+      family,
+      rules,
+      policy ? null,
+      priority ? "filter",
+      hook ? null,
+    }:
+    ''
+      chain ${name} {
+      ${if hook != null then "type ${type} hook ${hook} priority ${priority}; policy ${policy};" else ""}
+      ${concatStringsSep "\n" rules}
+      }
+    '';

-  doset = { name, type, elements ? [], ... } : ''
-    set ${name}  {
-      type ${type}
-      ${if elements != []
-        then "elements = { ${concatStringsSep ", " elements } }"
-        else ""
-       }
-    }
-  '';
+  doset =
+    {
+      name,
+      type,
+      elements ? [ ],
+      ...
+    }:
+    ''
+      set ${name}  {
+        type ${type}
+        ${if elements != [ ] then "elements = { ${concatStringsSep ", " elements} }" else ""}
+      }
+    '';

  dochainorset =
-    { kind ? "chain", ... } @ params :
+    {
+      kind ? "chain",
+      ...
+    }@params:
    {
      chain = dochain;
      set = doset;
-    }.${kind} params;
+    }
+    .${kind}
+      params;

-  dotable = family : chains : ''
+  dotable = family: chains: ''
    table ${family} table-${family} {
    ${concatStringsSep "\n" (map dochainorset chains)}
    }
  '';
-  categorise = chains :
-    groupBy
-      ({ family, ... } : family)
-      (mapAttrsToList (n : v : { name = n; } // v ) chains);
-in writeScript name ''
-#!${nftables}/sbin/nft -f
+  categorise =
+    chains: groupBy ({ family, ... }: family) (mapAttrsToList (n: v: { name = n; } // v) chains);
+in
+writeScript name ''
+  #!${nftables}/sbin/nft -f

-flush ruleset
+  flush ruleset

-${indent (concatStringsSep "\n" (mapAttrsToList dotable (categorise ruleset)))}
+  ${indent (concatStringsSep "\n" (mapAttrsToList dotable (categorise ruleset)))}
 ''
--- a/pkgs/firewallgen/test-rules-min.nix
+++ b/pkgs/firewallgen/test-rules-min.nix
@@ -1,6 +1,6 @@
 let
-  drop = expr : "${expr} drop";
-  accept = expr : "${expr} accept";
+  drop = expr: "${expr} drop";
+  accept = expr: "${expr} accept";
  mcast-scope = 8;
  allow-incoming = false;
  bogons-ip6 = {
@@ -41,7 +41,7 @@ let
      "jump bogons-ip6"
      (drop "ip6 saddr ::1/128") # loopback address [RFC4291]
      (drop "ip6 daddr ::1/128")
-      (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
+      (drop "ip6 saddr ::FFFF:0:0/96") # IPv4-mapped addresses
      (drop "ip6 daddr ::FFFF:0:0/96")
      (drop "ip6 saddr fe80::/10") # link-local unicast
      (drop "ip6 daddr fe80::/10")
@@ -57,7 +57,8 @@ let
      (drop
        # dest addr first byte 0xff, low nibble of second byte <= scope
        # https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
-        "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
+        "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}"
+      )

      (accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related")
      (accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp")
@@ -85,9 +86,11 @@ let
      # we can allow all reasonable inbound, or we can use an explicit
      # allowlist to enumerate the endpoints that are allowed to
      # accept inbound from the WAN
-      (if allow-incoming
-       then accept "oifname \"int\" iifname \"ppp0\""
-       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
+      (
+        if allow-incoming then
+          accept "oifname \"int\" iifname \"ppp0\""
+        else
+          "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
      )
      # allow all outbound and any inbound that's part of a
      # recognised (outbound-initiated) flow
@@ -103,9 +106,11 @@ let
    rules = [
      "jump bogons-ip6"
      (accept "meta l4proto icmpv6")
-      (if allow-incoming
-       then accept "oifname \"int\" iifname \"ppp0\""
-       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
+      (
+        if allow-incoming then
+          accept "oifname \"int\" iifname \"ppp0\""
+        else
+          "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
      )
      (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
      (accept "iifname \"int\" oifname \"ppp0\" ")
@@ -119,14 +124,21 @@ let
      "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
    ];
  };
-in {
-  inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
+in
+{
+  inherit
+    input-ip6
+    forward-ip6
+    bogons-ip6
+    incoming-allowed-ip6
+    ;
  lan-set-ip = {
    kind = "set";
    family = "ip";
    type = "ifname";
    elements = [
-      "eth0" "eth1"
+      "eth0"
+      "eth1"
    ];

  };
@@ -136,7 +148,8 @@ in {
    family = "ip6";
    type = "ifname";
    elements = [
-      "eth0" "eth1"
+      "eth0"
+      "eth1"
    ];

  };
--- a/pkgs/firewallgen/test.nix
+++ b/pkgs/firewallgen/test.nix
@@ -1,4 +1,5 @@
 let
-  pkgs = import <nixpkgs> { overlays = [( import ../../overlay.nix)]; };
+  pkgs = import <nixpkgs> { overlays = [ (import ../../overlay.nix) ]; };
  ruleset = import ./test-rules-min.nix;
-in pkgs.firewallgen "firewall.nft" ruleset
+in
+pkgs.firewallgen "firewall.nft" ruleset