From f0f5434eaad8efb46496b9e113c8cd1a872665a2 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sun, 26 Jul 2009 21:27:35 +0000
Subject: [PATCH] * Add an option to enable the firewall.  It should eventually
 be   enabled by default.

svn path=/nixos/branches/modular-nixos/; revision=16464
---
 modules/module-list.nix                  |  3 ++-
 modules/services/networking/firewall.nix | 21 +++++++++++++++++----
 modules/services/networking/ssh/sshd.nix |  4 +---
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/modules/module-list.nix b/modules/module-list.nix
index 429bcfcf1b8..cd37d967066 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -53,6 +53,7 @@
   ./services/networking/dhclient.nix
   ./services/networking/dhcpd.nix
   ./services/networking/ejabberd.nix
+  ./services/networking/firewall.nix
   ./services/networking/gnunet.nix
   ./services/networking/gw6c.nix
   ./services/networking/ifplugd.nix
@@ -81,9 +82,9 @@
   ./services/x11/xserver/default.nix
   ./services/x11/xserver/desktop-managers/default.nix
   ./services/x11/xserver/desktop-managers/gnome.nix
-  ./services/x11/xserver/desktop-managers/kde4.nix
   ./services/x11/xserver/desktop-managers/kde-environment.nix
   ./services/x11/xserver/desktop-managers/kde.nix
+  ./services/x11/xserver/desktop-managers/kde4.nix
   ./services/x11/xserver/desktop-managers/none.nix
   ./services/x11/xserver/desktop-managers/xterm.nix
   ./services/x11/xserver/display-managers/default.nix
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index a6a5f8fec2b..ef6b3a94472 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -12,6 +12,14 @@ in
 
   options = {
   
+    networking.firewall.enable = pkgs.lib.mkOption {
+      default = false;
+      description =
+        ''
+          Whether to enable the firewall.
+        '';
+    };
+  
     networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
       default = [];
       example = [22 80];
@@ -27,14 +35,21 @@ in
 
 
   ###### implementation
-  
-  config = {
+
+  # !!! Maybe if `enable' is false, the firewall should still be built
+  # but not started by default.  However, currently nixos-rebuild
+  # doesn't deal with such Upstart jobs properly (it starts them if
+  # they are changed, regardless of whether the start condition
+  # holds).
+  config = pkgs.lib.mkIf config.networking.firewall.enable {
 
     environment.systemPackages = [pkgs.iptables];
 
     jobs = pkgs.lib.singleton
       { name = "firewall";
 
+        startOn = "network-interfaces/started";
+
         preStart =
           ''
             ${iptables} -F
@@ -63,8 +78,6 @@ in
           '';     
       };
 
-    networking.firewall.allowedTCPPorts = [22];
-    
   };
 
 }
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 95b78d69445..ca072e92084 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -131,9 +131,7 @@ in
         exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
       };
 
-    # !!! This barfs because of the mkIf ("value is a list while an
-    #attribute set was expected") :-(
-    #networking.firewall.allowedTCPPorts = [22];
+    networking.firewall.allowedTCPPorts = [22];
           
   };