colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #270467 from nalves599/269944-keepalived-firewall

Browse Source 
nixos/keepalived: add openFirewall option
This commit is contained in:
Emily 2023-12-03 20:37:09 +01:00 committed by GitHub
commit a0ba4615da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixos/modules/services/networking/keepalived/default.nix
View File

@ -150,6 +150,14 @@ in
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to automatically allow VRRP and AH packets in the firewall.
'';
};
enableScriptSecurity = mkOption {
type = types.bool;
default = false;
@ -282,6 +290,19 @@ in
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
networking.firewall = lib.mkIf cfg.openFirewall {
extraCommands = ''
# Allow VRRP and AH packets
ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
'';
extraStopCommands = ''
ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
'';
};
systemd.timers.keepalived-boot-delay = {
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
after = [ "network.target" "network-online.target" "syslog.target" ];