diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool new file mode 100755 index 0000000000000..a9cb27881573f --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool @@ -0,0 +1,91 @@ +#!/usr/bin/env bash +# vim: set tabstop=2 shiftwidth=2 expandtab: + +set -euo pipefail + +# Detect if iptables or nftables-based firewall is used. +if [[ -e /etc/systemd/system/firewall.service ]]; then + BACKEND=iptables +elif [[ -e /etc/systemd/system/nftables.service ]]; then + BACKEND=nftables +else + echo "nixos-firewall-tool: cannot detect firewall backend" >&2 + exit 1 +fi + +ip46tables() { + iptables -w "$@" + ip6tables -w "$@" +} + +show_help() { + echo "nixos-firewall-tool + +A tool to temporarily manipulate the NixOS firewall + +Open TCP port: + nixos-firewall-tool open tcp 8888 + +Open UDP port: + nixos-firewall-tool open udp 51820 + +Show all firewall rules: + nixos-firewall-tool show + +Reset firewall configuration to system settings: + nixos-firewall-tool reset" +} + +if [[ -z ${1+x} ]]; then + show_help + exit 1 +fi + +case $1 in + "open") + if [[ -z ${2+x} ]] || [[ -z ${3+x} ]]; then + show_help + exit 1 + fi + + protocol="$2" + port="$3" + + case $BACKEND in + iptables) + ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept + ;; + nftables) + nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }" + ;; + esac + ;; + "show") + case $BACKEND in + iptables) + ip46tables --numeric --list nixos-fw + ;; + nftables) + nft list table inet nixos-fw + ;; + esac + ;; + "reset") + case $BACKEND in + iptables) + systemctl restart firewall.service + ;; + nftables) + nft flush set inet nixos-fw "temp-ports" + ;; + esac + ;; + -h|--help|help) + show_help + exit 0 + ;; + *) + show_help + exit 1 + ;; +esac diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 new file mode 100644 index 0000000000000..600c3f1e58eac --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 @@ -0,0 +1,17 @@ +.TH nixos-firewall-tool 1 +.SH NAME +nixos-firewall-tool \- a tool to temporarily manipulate the NixOS firewall +.SH SYNOPSIS +nixos-firewall-tool \fIsubcommand\fR + +Open TCP port: + nixos-firewall-tool open tcp 8888 + +Open UDP port: + nixos-firewall-tool open udp 51820 + +Show all firewall rules: + nixos-firewall-tool show + +Reset firewall configuration to system settings: + nixos-firewall-tool reset diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash new file mode 100644 index 0000000000000..440ffeac9cf90 --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash @@ -0,0 +1,20 @@ +_nixos_firewall_tool() { + case "${COMP_CWORD}" in + 1) + COMPREPLY=($(compgen -W "open show reset" -- "${COMP_WORDS[1]}")) + ;; + 2) + case "${COMP_WORDS[1]}" in + "open") + COMPREPLY=($(compgen -W "tcp udp" -- "${COMP_WORDS[2]}")) + ;; + *) + ;; + esac + ;; + *) + ;; + esac +} + +complete -F _nixos_firewall_tool nixos-firewall-tool diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish new file mode 100644 index 0000000000000..0cd8a61b13c88 --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish @@ -0,0 +1,5 @@ +complete -c nixos-firewall-tool -f +complete -c nixos-firewall-tool -k -a reset -d 'Reset firewall configuration to system settings' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a show -d 'Show all firewall rules' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a open -d 'Open a port temporarily' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a "tcp udp" -n "__fish_seen_subcommand_from open && __fish_is_nth_token 2" diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh deleted file mode 100755 index 6870277736e7c..0000000000000 --- a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Detect if iptables or nftables-based firewall is used. -if [[ -e /etc/systemd/system/firewall.service ]]; then - BACKEND=iptables -elif [[ -e /etc/systemd/system/nftables.service ]]; then - BACKEND=nftables -else - echo "nixos-firewall-tool: cannot detect firewall backend" >&2 - exit 1 -fi - -ip46tables() { - iptables -w "$@" - ip6tables -w "$@" -} - -show_help() { - echo "nixos-firewall-tool" - echo "" - echo "Can temporarily manipulate the NixOS firewall" - echo "" - echo "Open TCP port:" - echo " nixos-firewall-tool open tcp 8888" - echo "" - echo "Show all firewall rules:" - echo " nixos-firewall-tool show" - echo "" - echo "Open UDP port:" - echo " nixos-firewall-tool open udp 51820" - echo "" - echo "Reset firewall configuration to system settings:" - echo " nixos-firewall-tool reset" -} - -if [[ -z ${1+x} ]]; then - show_help - exit 1 -fi - -case $1 in - "open") - protocol="$2" - port="$3" - - case $BACKEND in - iptables) - ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept - ;; - nftables) - nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }" - ;; - esac - ;; - "show") - case $BACKEND in - iptables) - ip46tables --numeric --list nixos-fw - ;; - nftables) - nft list table inet nixos-fw - ;; - esac - ;; - "reset") - case $BACKEND in - iptables) - systemctl restart firewall.service - ;; - nftables) - nft flush set inet nixos-fw "temp-ports" - ;; - esac - ;; - -h|--help|help) - show_help - exit 0 - ;; - *) - show_help - exit 1 - ;; -esac diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix index eb05154124e75..73b32608e89aa 100644 --- a/pkgs/by-name/ni/nixos-firewall-tool/package.nix +++ b/pkgs/by-name/ni/nixos-firewall-tool/package.nix @@ -1,17 +1,50 @@ -{ writeShellApplication, lib }: +{ + stdenvNoCC, + lib, + bash, + installShellFiles, + shellcheck-minimal, +}: -writeShellApplication { +stdenvNoCC.mkDerivation rec { name = "nixos-firewall-tool"; - text = builtins.readFile ./nixos-firewall-tool.sh; + src = lib.fileset.toSource { + root = ./.; + fileset = lib.fileset.fileFilter (file: !file.hasExt "nix") ./.; + }; + + strictDeps = true; + buildInputs = [ bash ]; + nativeBuildInputs = [ installShellFiles ]; + + postPatch = '' + patchShebangs --host nixos-firewall-tool + ''; + + installPhase = '' + installBin nixos-firewall-tool + installManPage nixos-firewall-tool.1 + installShellCompletion nixos-firewall-tool.{bash,fish} + ''; + + # Skip shellcheck if GHC is not available, see writeShellApplication. + doCheck = + lib.meta.availableOn stdenvNoCC.buildPlatform shellcheck-minimal.compiler + && (builtins.tryEval shellcheck-minimal.compiler.outPath).success; + checkPhase = '' + ${lib.getExe shellcheck-minimal} nixos-firewall-tool + ''; meta = with lib; { - description = "Temporarily manipulate the NixOS firewall"; + description = "A tool to temporarily manipulate the NixOS firewall"; license = licenses.mit; maintainers = with maintainers; [ clerie rvfg garyguo ]; + platforms = platforms.linux; + mainProgram = "nixos-firewall-tool"; }; }