From 6ce2a3445a3262c1f59bb4c174e8b80d80072508 Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Sat, 14 Dec 2024 15:45:36 +0000 Subject: [PATCH 1/4] nixos-firewall-tool: cleanup script --- .../nixos-firewall-tool.sh | 80 ++++++++++--------- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh index 6870277736e7c..a9cb27881573f 100755 --- a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh @@ -1,15 +1,16 @@ #!/usr/bin/env bash +# vim: set tabstop=2 shiftwidth=2 expandtab: set -euo pipefail # Detect if iptables or nftables-based firewall is used. if [[ -e /etc/systemd/system/firewall.service ]]; then - BACKEND=iptables + BACKEND=iptables elif [[ -e /etc/systemd/system/nftables.service ]]; then - BACKEND=nftables + BACKEND=nftables else - echo "nixos-firewall-tool: cannot detect firewall backend" >&2 - exit 1 + echo "nixos-firewall-tool: cannot detect firewall backend" >&2 + exit 1 fi ip46tables() { @@ -18,21 +19,21 @@ ip46tables() { } show_help() { - echo "nixos-firewall-tool" - echo "" - echo "Can temporarily manipulate the NixOS firewall" - echo "" - echo "Open TCP port:" - echo " nixos-firewall-tool open tcp 8888" - echo "" - echo "Show all firewall rules:" - echo " nixos-firewall-tool show" - echo "" - echo "Open UDP port:" - echo " nixos-firewall-tool open udp 51820" - echo "" - echo "Reset firewall configuration to system settings:" - echo " nixos-firewall-tool reset" + echo "nixos-firewall-tool + +A tool to temporarily manipulate the NixOS firewall + +Open TCP port: + nixos-firewall-tool open tcp 8888 + +Open UDP port: + nixos-firewall-tool open udp 51820 + +Show all firewall rules: + nixos-firewall-tool show + +Reset firewall configuration to system settings: + nixos-firewall-tool reset" } if [[ -z ${1+x} ]]; then @@ -42,36 +43,41 @@ fi case $1 in "open") + if [[ -z ${2+x} ]] || [[ -z ${3+x} ]]; then + show_help + exit 1 + fi + protocol="$2" port="$3" case $BACKEND in - iptables) - ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept - ;; - nftables) - nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }" - ;; + iptables) + ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept + ;; + nftables) + nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }" + ;; esac ;; "show") case $BACKEND in - iptables) - ip46tables --numeric --list nixos-fw - ;; - nftables) - nft list table inet nixos-fw - ;; + iptables) + ip46tables --numeric --list nixos-fw + ;; + nftables) + nft list table inet nixos-fw + ;; esac ;; "reset") case $BACKEND in - iptables) - systemctl restart firewall.service - ;; - nftables) - nft flush set inet nixos-fw "temp-ports" - ;; + iptables) + systemctl restart firewall.service + ;; + nftables) + nft flush set inet nixos-fw "temp-ports" + ;; esac ;; -h|--help|help) From 8b16f91638e9c08ce2c8a53a51d7b58c59c61f22 Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Sat, 14 Dec 2024 15:53:26 +0000 Subject: [PATCH 2/4] nixos-firewall-tool: build using mkDerivation writeShellApplication doesn't really fit the tool well (evident from builtin.readFile) and it actually generates duplicate shebang lines. --- ...s-firewall-tool.sh => nixos-firewall-tool} | 0 .../ni/nixos-firewall-tool/package.nix | 39 +++++++++++++++++-- 2 files changed, 35 insertions(+), 4 deletions(-) rename pkgs/by-name/ni/nixos-firewall-tool/{nixos-firewall-tool.sh => nixos-firewall-tool} (100%) diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool similarity index 100% rename from pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh rename to pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix index eb05154124e75..eda737f0f98da 100644 --- a/pkgs/by-name/ni/nixos-firewall-tool/package.nix +++ b/pkgs/by-name/ni/nixos-firewall-tool/package.nix @@ -1,17 +1,48 @@ -{ writeShellApplication, lib }: +{ + stdenvNoCC, + lib, + bash, + installShellFiles, + shellcheck-minimal, +}: -writeShellApplication { +stdenvNoCC.mkDerivation rec { name = "nixos-firewall-tool"; - text = builtins.readFile ./nixos-firewall-tool.sh; + src = lib.fileset.toSource { + root = ./.; + fileset = lib.fileset.fileFilter (file: !file.hasExt "nix") ./.; + }; + + strictDeps = true; + buildInputs = [ bash ]; + nativeBuildInputs = [ installShellFiles ]; + + postPatch = '' + patchShebangs --host nixos-firewall-tool + ''; + + installPhase = '' + installBin nixos-firewall-tool + ''; + + # Skip shellcheck if GHC is not available, see writeShellApplication. + doCheck = + lib.meta.availableOn stdenvNoCC.buildPlatform shellcheck-minimal.compiler + && (builtins.tryEval shellcheck-minimal.compiler.outPath).success; + checkPhase = '' + ${lib.getExe shellcheck-minimal} nixos-firewall-tool + ''; meta = with lib; { - description = "Temporarily manipulate the NixOS firewall"; + description = "A tool to temporarily manipulate the NixOS firewall"; license = licenses.mit; maintainers = with maintainers; [ clerie rvfg garyguo ]; + platforms = platforms.linux; + mainProgram = "nixos-firewall-tool"; }; } From d9fd3dce7ab14dadcd6baa4b5a0eabd8d711e5e3 Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Sat, 14 Dec 2024 15:56:32 +0000 Subject: [PATCH 3/4] nixos-firewall-tool: add shell completions for bash and fish --- .../nixos-firewall-tool.bash | 20 +++++++++++++++++++ .../nixos-firewall-tool.fish | 5 +++++ .../ni/nixos-firewall-tool/package.nix | 1 + 3 files changed, 26 insertions(+) create mode 100644 pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash create mode 100644 pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash new file mode 100644 index 0000000000000..440ffeac9cf90 --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash @@ -0,0 +1,20 @@ +_nixos_firewall_tool() { + case "${COMP_CWORD}" in + 1) + COMPREPLY=($(compgen -W "open show reset" -- "${COMP_WORDS[1]}")) + ;; + 2) + case "${COMP_WORDS[1]}" in + "open") + COMPREPLY=($(compgen -W "tcp udp" -- "${COMP_WORDS[2]}")) + ;; + *) + ;; + esac + ;; + *) + ;; + esac +} + +complete -F _nixos_firewall_tool nixos-firewall-tool diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish new file mode 100644 index 0000000000000..0cd8a61b13c88 --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish @@ -0,0 +1,5 @@ +complete -c nixos-firewall-tool -f +complete -c nixos-firewall-tool -k -a reset -d 'Reset firewall configuration to system settings' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a show -d 'Show all firewall rules' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a open -d 'Open a port temporarily' -n "__fish_is_first_token" +complete -c nixos-firewall-tool -k -a "tcp udp" -n "__fish_seen_subcommand_from open && __fish_is_nth_token 2" diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix index eda737f0f98da..6e9f931403fd7 100644 --- a/pkgs/by-name/ni/nixos-firewall-tool/package.nix +++ b/pkgs/by-name/ni/nixos-firewall-tool/package.nix @@ -24,6 +24,7 @@ stdenvNoCC.mkDerivation rec { installPhase = '' installBin nixos-firewall-tool + installShellCompletion nixos-firewall-tool.{bash,fish} ''; # Skip shellcheck if GHC is not available, see writeShellApplication. From d57da575efbaa47615a615f138e9a0d2f6e9233c Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Sat, 14 Dec 2024 15:58:09 +0000 Subject: [PATCH 4/4] nixos-firewall-tool: add man page --- .../nixos-firewall-tool/nixos-firewall-tool.1 | 17 +++++++++++++++++ pkgs/by-name/ni/nixos-firewall-tool/package.nix | 1 + 2 files changed, 18 insertions(+) create mode 100644 pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 new file mode 100644 index 0000000000000..600c3f1e58eac --- /dev/null +++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 @@ -0,0 +1,17 @@ +.TH nixos-firewall-tool 1 +.SH NAME +nixos-firewall-tool \- a tool to temporarily manipulate the NixOS firewall +.SH SYNOPSIS +nixos-firewall-tool \fIsubcommand\fR + +Open TCP port: + nixos-firewall-tool open tcp 8888 + +Open UDP port: + nixos-firewall-tool open udp 51820 + +Show all firewall rules: + nixos-firewall-tool show + +Reset firewall configuration to system settings: + nixos-firewall-tool reset diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix index 6e9f931403fd7..73b32608e89aa 100644 --- a/pkgs/by-name/ni/nixos-firewall-tool/package.nix +++ b/pkgs/by-name/ni/nixos-firewall-tool/package.nix @@ -24,6 +24,7 @@ stdenvNoCC.mkDerivation rec { installPhase = '' installBin nixos-firewall-tool + installManPage nixos-firewall-tool.1 installShellCompletion nixos-firewall-tool.{bash,fish} '';