Merge pull request #270467 from nalves599/269944-keepalived-firewall
nixos/keepalived: add openFirewall option
This commit is contained in:
commit
a0ba4615da
|
@ -150,6 +150,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
openFirewall = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether to automatically allow VRRP and AH packets in the firewall.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
enableScriptSecurity = mkOption {
|
enableScriptSecurity = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
@ -282,6 +290,19 @@ in
|
||||||
|
|
||||||
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
|
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
|
||||||
|
|
||||||
|
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||||
|
extraCommands = ''
|
||||||
|
# Allow VRRP and AH packets
|
||||||
|
ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||||||
|
ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||||||
|
'';
|
||||||
|
|
||||||
|
extraStopCommands = ''
|
||||||
|
ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||||||
|
ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd.timers.keepalived-boot-delay = {
|
systemd.timers.keepalived-boot-delay = {
|
||||||
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
|
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
|
||||||
after = [ "network.target" "network-online.target" "syslog.target" ];
|
after = [ "network.target" "network-online.target" "syslog.target" ];
|
||||||
|
|
Loading…
Reference in New Issue
Block a user