turn nftables firewall into a service-providing module

modules/firewall/service.nix

@@ -0,0 +1,26 @@
+{
+  liminix
+, lib
+, firewallgen
+, nftables
+}:
+let
+  inherit (liminix.services) oneshot;
+  inherit (liminix.lib) typeChecked;
+  inherit (lib) mkOption types;
+  t = {
+    ruleset = mkOption {
+      type = types.anything;         # we could usefully define this more tightly
+      description = "firewall ruleset";
+    };
+  };
+in
+params:
+let
+  inherit (typeChecked "firewall" t params) ruleset;
+  script = firewallgen "firewall.nft" ruleset;
+in oneshot {
+  name = "firewall";
+  up = script;
+  down = "${nftables}/bin/nft flush ruleset";
+}