commit a0ba4615da4053ce59c6367a3aa276c1a8d24d9e · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #270467 from nalves599/269944-keepalived-firewall

nixos/keepalived: add openFirewall option

authored by Emily and committed by GitHub 2 years ago a0ba4615 de502c4d

+21

1 changed file

expand all

unified split

nixos

modules

services

networking

keepalived

default.nix

+21

nixos/modules/services/networking/keepalived/default.nix

··· 150 150 ''; 151 151 }; 152 152 153 + openFirewall = mkOption { 154 + type = types.bool; 155 + default = false; 156 + description = lib.mdDoc '' 157 + Whether to automatically allow VRRP and AH packets in the firewall. 158 + ''; 159 + }; 160 + 153 161 enableScriptSecurity = mkOption { 154 162 type = types.bool; 155 163 default = false; ··· 281 289 config = mkIf cfg.enable { 282 290 283 291 assertions = flatten (map vrrpInstanceAssertions vrrpInstances); 292 + 293 + networking.firewall = lib.mkIf cfg.openFirewall { 294 + extraCommands = '' 295 + # Allow VRRP and AH packets 296 + ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT 297 + ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT 298 + ''; 299 + 300 + extraStopCommands = '' 301 + ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT 302 + ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT 303 + ''; 304 + }; 284 305 285 306 systemd.timers.keepalived-boot-delay = { 286 307 description = "Keepalive Daemon delay to avoid instant transition to MASTER state";