diff options
author | Nuno Alves <nuno.alves02@gmail.com> | 2023-11-27 19:00:14 +0000 |
---|---|---|
committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2023-12-04 09:28:56 +0000 |
commit | 29ef33b65cc7c369c5e97258ea33bd86622412f6 (patch) | |
tree | b6bc03d1d8747fda3f8ab94217883dd23eeb82fd /nixos/modules | |
parent | 7823e1f33ae67656f759beca4d37f841a9d82120 (diff) |
nixos/keepalived: add openFirewall option
Allow VRRP and AH (authentication packets) through the firewall automatically if the option is set. (cherry picked from commit 24d9151d15168867b87669ee663e4d15a23ded91)
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/keepalived/default.nix | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index 29fbea5545c36..429a47c3962c6 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -150,6 +150,14 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to automatically allow VRRP and AH packets in the firewall. + ''; + }; + enableScriptSecurity = mkOption { type = types.bool; default = false; @@ -282,6 +290,19 @@ in assertions = flatten (map vrrpInstanceAssertions vrrpInstances); + networking.firewall = lib.mkIf cfg.openFirewall { + extraCommands = '' + # Allow VRRP and AH packets + ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + + extraStopCommands = '' + ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + }; + systemd.timers.keepalived-boot-delay = { description = "Keepalive Daemon delay to avoid instant transition to MASTER state"; after = [ "network.target" "network-online.target" "syslog.target" ]; |