Move modules in another directory and split snippets into seperate files

flake.nix

@@ -15,12 +15,12 @@
         imports = [(import file flakes)];
       };
     in rec {
-      nftables = module ./nftables.nix;
-      nftables-chains = module ./nftables-chains.nix;
-      nftables-zoned = module ./nftables-zoned.nix;
-      nftables-snippets = module ./nftables-snippets.nix;
+      nftables = module ./modules/nftables.nix;
+      chains = module ./modules/chains.nix;
+      zoned = module ./modules/zoned.nix;
+      snippets = module ./modules/snippets.nix;
 
-      default = nftables-snippets;
+      default = snippets;
 
       full = with nixpkgs.lib; let
         msg = concatStringsSep " " [

modules/snippets.nix

@@ -0,0 +1,14 @@
+flakes: {
+  imports = [
+    flakes.self.nixosModules.zoned
+    ./snippets/nnf-common.nix
+    ./snippets/nnf-default-stopRuleset.nix
+    ./snippets/nnf-conntrack.nix
+    ./snippets/nnf-drop.nix
+    ./snippets/nnf-loopback.nix
+    ./snippets/nnf-dhcpv6.nix
+    ./snippets/nnf-icmp.nix
+    ./snippets/nnf-ssh.nix
+    ./snippets/nnf-nixos-firewall.nix
+  ];
+}

modules/snippets/nnf-common.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-common;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-common = {
+        enable = mkEnableOption (mdDoc "the nnf-common firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = cfg.enable -> config.networking.nftables.firewall.enable;
+          message = "You enabled the `nnf-common` firewall snippet, but you did not enable the firewall itself.";
+        }
+      ];
+
+      networking.nftables.firewall.snippets = mkDefault {
+        nnf-conntrack.enable = true;
+        nnf-default-stopRuleset.enable = true;
+        nnf-drop.enable = true;
+        nnf-loopback.enable = true;
+        nnf-dhcpv6.enable = true;
+        nnf-icmp.enable = true;
+        nnf-ssh.enable = true;
+        nnf-nixos-firewall.enable = true;
+      };
+    };
+  }

modules/snippets/nnf-conntrack.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-conntrack;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-conntrack = {
+        enable = mkEnableOption (mdDoc "the nnf-conntrack firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.chains = let
+        conntrackRule = {
+          after = mkForce ["veryEarly"];
+          before = ["early"];
+          rules = [
+            "ct state {established, related} accept"
+            "ct state invalid drop"
+          ];
+        };
+      in {
+        input.conntrack = conntrackRule;
+        forward.conntrack = conntrackRule;
+      };
+    };
+  }

modules/snippets/nnf-default-stopRuleset.nix

@@ -0,0 +1,65 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-default-stopRuleset;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-default-stopRuleset = {
+        enable = mkEnableOption (mdDoc "the nnf-default-stopRuleset snippet");
+        allowedTCPPorts = mkOption {
+          type = types.listOf types.port;
+          default = config.services.openssh.ports;
+          defaultText = literalExpression "config.services.openssh.ports";
+          description = mdDoc ''
+            List of allowd TCP ports while the firewall is disabled.
+          '';
+        };
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.stopRuleset = let
+        ports = cfg.allowedTCPPorts;
+        toPortList = ports: assert length ports > 0; "{ ${concatStringsSep ", " (map toString ports)} }";
+      in
+        mkDefault ''
+          # Check out https://wiki.nftables.org/ for better documentation.
+          # Table for both IPv4 and IPv6.
+          table inet filter {
+            # Block all incomming connections traffic except SSH and "ping".
+            chain input {
+              type filter hook input priority 0; policy drop
+
+              # accept any localhost traffic
+              iifname lo accept
+
+              # accept traffic originated from us
+              ct state {established, related} accept
+
+              # ICMP
+              # routers may also want: mld-listener-query, nd-router-solicit
+              ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+              ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+              # allow "ping"
+              ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+              ip protocol icmp icmp type echo-request accept
+
+              # accept SSH connections (required for a server)
+              ${optionalString (ports > 0) "tcp dport ${toPortList ports} accept"}
+
+              # count and drop any other traffic
+              counter drop
+            }
+
+            chain forward {
+              type filter hook forward priority 0; policy drop
+              counter drop
+            }
+          }
+        '';
+    };
+  }

modules/snippets/nnf-dhcpv6.nix

@@ -0,0 +1,26 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-dhcpv6;
+  localZoneName = config.networking.nftables.firewall.localZoneName;
+in
+  with lib; {
+  options.networking.nftables.firewall.snippets = {
+    nnf-dhcpv6 = {
+      enable = mkEnableOption (mdDoc "the nnf-dhcpv6 firewall snippet");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.nftables.firewall.rules.dhcpv6 = {
+      after = ["ct" "ssh"];
+      from = "all";
+      to = [localZoneName];
+      extraLines = [
+        "ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept"
+      ];
+    };
+  };
+}

modules/snippets/nnf-drop.nix

@@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-drop;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-drop = {
+        enable = mkEnableOption (mdDoc "the nnf-drop firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.chains = let
+        dropRule = {
+          after = mkForce ["veryLate"];
+          before = mkForce ["end"];
+          rules = singleton "counter drop";
+        };
+      in {
+        input.drop = dropRule;
+        forward.drop = dropRule;
+      };
+    };
+  }

modules/snippets/nnf-icmp.nix

@@ -0,0 +1,41 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-icmp;
+  localZoneName = config.networking.nftables.firewall.localZoneName;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-icmp = {
+        enable = mkEnableOption (mdDoc "the nnf-icmp firewall snippet");
+        ipv6Types = mkOption {
+          type = types.listOf types.str;
+          default = ["echo-request" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
+          description = mdDoc ''
+            List of allowed ICMPv6 types.
+          '';
+        };
+        ipv4Types = mkOption {
+          type = types.listOf types.str;
+          default = ["echo-request" "router-advertisement"];
+          description = mdDoc ''
+            List of allowed ICMP types.
+          '';
+        };
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.firewall.rules.icmp = {
+        after = ["ct" "ssh"];
+        from = "all";
+        to = [localZoneName];
+        extraLines = [
+          "ip6 nexthdr icmpv6 icmpv6 type { ${concatStringsSep ", " cfg.ipv6Types} } accept"
+          "ip protocol icmp icmp type { ${concatStringsSep ", " cfg.ipv4Types} } accept"
+        ];
+      };
+    };
+  }

modules/snippets/nnf-loopback.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-loopback;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-loopback = {
+        enable = mkEnableOption (mdDoc "the nnf-loopback firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.chains.input.loopback = {
+        after = mkForce ["veryEarly"];
+        before = ["conntrack" "early"];
+        rules = singleton "iifname { lo } accept";
+      };
+    };
+  }

modules/snippets/nnf-nixos-firewall.nix

@@ -0,0 +1,24 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-nixos-firewall;
+  localZoneName = config.networking.nftables.firewall.localZoneName;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-nixos-firewall = {
+        enable = mkEnableOption (mdDoc "the nnf-nixos-firewall firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.firewall.rules.nixos-firewall = {
+        from = mkDefault "all";
+        to = [localZoneName];
+        allowedTCPPorts = config.networking.firewall.allowedTCPPorts;
+        allowedUDPPorts = config.networking.firewall.allowedUDPPorts;
+      };
+    };
+  }

modules/snippets/nnf-ssh.nix

@@ -0,0 +1,25 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.networking.nftables.firewall.snippets.nnf-ssh;
+  localZoneName = config.networking.nftables.firewall.localZoneName;
+in
+  with lib; {
+    options.networking.nftables.firewall.snippets = {
+      nnf-ssh = {
+        enable = mkEnableOption (mdDoc "the nnf-ssh firewall snippet");
+      };
+    };
+
+    config = mkIf cfg.enable {
+      networking.nftables.firewall.rules.ssh = {
+        early = true;
+        after = ["ct"];
+        from = "all";
+        to = [localZoneName];
+        allowedTCPPorts = config.services.openssh.ports;
+      };
+    };
+  }

nftables-zoned.nix → modules/zoned.nix

@@ -8,7 +8,7 @@ with dependencyDagOfSubmodule.lib.bake lib; let
   ruleTypes = ["ban" "rule" "policy"];
 in {
   imports = [
-    flakes.self.nixosModules.nftables-chains
+    flakes.self.nixosModules.chains
   ];
 
   options.networking.nftables.firewall = {