Enable nnf-common snippet by default, but emit a warning if not man…

…ually defined
thelegy · Dec 14, 2023 · 3ef0e6a · 3ef0e6a
1 parent 6e8d86f
commit 3ef0e6a
Show file tree

Hide file tree

Showing 12 changed files with 32 additions and 2 deletions.
diff --git a/checks/testCommon.nix b/checks/testCommon.nix
@@ -7,6 +7,7 @@ machineTest ({config, ...}: {
   imports = [flakes.self.nixosModules.default];
 
   networking.nftables.firewall = {
+    enable = true;
     snippets.nnf-common.enable = true;
   };
 

diff --git a/checks/testEmpty.nix b/checks/testEmpty.nix
@@ -8,6 +8,7 @@ machineTest ({config, ...}: {
 
   networking.nftables.firewall = {
     enable = true;
+    snippets.nnf-common.enable = false;
   };
 
   output = {

diff --git a/checks/testForward.nix b/checks/testForward.nix
@@ -8,6 +8,7 @@ machineTest ({config, ...}: {
 
   networking.nftables.firewall = {
     enable = true;
+    snippets.nnf-common.enable = false;
     zones.a.interfaces = ["a"];
     zones.b.interfaces = ["b"];
 

diff --git a/checks/testInheritance.nix b/checks/testInheritance.nix
@@ -8,6 +8,7 @@ machineTest ({config, ...}: {
 
   networking.nftables.firewall = {
     enable = true;
+    snippets.nnf-common.enable = false;
 
     zones.a.interfaces = ["a"];
 

diff --git a/checks/testNat.nix b/checks/testNat.nix
@@ -7,6 +7,7 @@ machineTest ({config, ...}: {
   imports = [flakes.self.nixosModules.default];
 
   networking.nftables.firewall = {
+    enable = true;
     snippets.nnf-common.enable = true;
     zones.a.interfaces = ["a"];
     zones.b.interfaces = ["b"];

diff --git a/checks/testPortRules.nix b/checks/testPortRules.nix
@@ -8,6 +8,7 @@ machineTest ({config, ...}: {
 
   networking.nftables.firewall = {
     enable = true;
+    snippets.nnf-common.enable = false;
     rules.nose = {
       from = "all";
       to = ["fw"];

diff --git a/checks/testRuleType.nix b/checks/testRuleType.nix
@@ -8,6 +8,7 @@ machineTest ({config, ...}: {
 
   networking.nftables.firewall = {
     enable = true;
+    snippets.nnf-common.enable = false;
 
     rules.rule = {
       from = "all";

diff --git a/checks/testWebserver.nix b/checks/testWebserver.nix
@@ -7,6 +7,7 @@ machineTest ({config, ...}: {
   imports = [flakes.self.nixosModules.default];
 
   networking.nftables.firewall = {
+    enable = true;
     snippets.nnf-common.enable = true;
     rules.webserver = {
       from = "all";

diff --git a/checks/testZoneExpressions.nix b/checks/testZoneExpressions.nix
@@ -7,6 +7,7 @@ machineTest ({config, ...}: {
   imports = [flakes.self.nixosModules.default];
 
   networking.nftables.firewall = {
+    enable = true;
     snippets.nnf-common.enable = true;
     zones.a.interfaces = ["a"];
     zones.a.ipv4Addresses = ["192.168.1.0/24"];

diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -49,7 +49,6 @@ We will look at the following `configuration.nix´.
     snippets.nnf-common.enable = true;
 ```
 This will enable the firewall and also the `nnf-common` snippet.
-(Actually the snippet will also enable the firewall, so if you are using it, enabling it by hand is not required.)
 
 ### Zones
 Next we will add some [zones](zones):

diff --git a/nftables-snippets.nix b/nftables-snippets.nix
@@ -73,8 +73,16 @@ in {
   };
 
   config = mkMerge [
+    {
+      assertions = [
+        {
+          assertion = cfg.nnf-common.enable -> config.networking.nftables.firewall.enable;
+          message = "You enabled the `nnf-common` firewall snippet, but you did not enable the firewall itself.";
+        }
+      ];
+    }
+
     (mkIf cfg.nnf-common.enable {
-      networking.nftables.firewall.enable = true;
       networking.nftables.firewall.snippets = mkDefault {
         nnf-conntrack.enable = true;
         nnf-default-stopRuleset.enable = true;

diff --git a/nftables-zoned.nix b/nftables-zoned.nix
@@ -309,6 +309,20 @@ in {
         }
       ];
 
+      networking.nftables.firewall.snippets.nnf-common.enable = let
+        msg = concatStringsSep " " [
+          "To ease the migration for the nixos-nftables-firewall moving to snippets"
+          "the option `networking.nftables.firewall.snippets.nnf-common.enable` has"
+          "been defaulted to `true`. It will some day be switched to default to `false`"
+          "Please review, if these snippets do, what you need, make overrides as needed"
+          "and be warned, that their functionality might change in the future."
+          "You can read more about snippets here:\n"
+          "https://thelegy.github.io/nixos-nftables-firewall/snippets/\n"
+          "To remove this warning manually define the option."
+        ];
+      in
+        mkOverride 1499 (warn msg true);
+
       networking.nftables.firewall.zones.${cfg.localZoneName} = {
         localZone = true;
       };