builtins.readFile & variables in file

I’m working on migrating a nftables configuration to NixOS.

I had something like this in mind:

  networking.nftables.enable = false;
  networking.nftables.ruleset = ''
    # just a plain file
    include "/etc/nftables/wan-ip.nft";

    ${lib.strings.concatLines definedHosts}
    ${lib.strings.concatLines definedNetworks}

    table inet firewall {
      # here starts the problem
      ${lib.concatStrings (builtins.map (x: builtins.readFile x) chainFiles)}
    }
  '';

And then I have a bunch of file names defined in chainFiles. One of these is called 0014-sets.nft and looks something like this:

set if_all {
    type ifname; flags constant;
    elements = { ${lib.strings.concatStringsSep "," ifAll} }
}

ifAll is a list of strings (interface names), and I expected the above to be evaluated to elements = { foo,bar,baz } but when debugging (having NixOS write the configuration to /etc/test) I noticed that it is not, it’s printed out exactly like it’s written above.

How do I make it evaluate the nix expression embedded in the file?

I asked on the matrix channel, and understood that it’s not (currently?) possible to do what I want like this. I can’t have readFile read and evaluate the file like I wanted, I can import the file for that.

For this case in particular I decided to something like this:

  environment.etc.test = {
    text = ''
      include "/etc/nixos/nftables/wan-ip.nft";
      ${lib.strings.concatLines definedHosts}
      ${lib.strings.concatLines definedNetworks}
      ${lib.strings.concatLines definedInterfaces}
      table inet firewall {
        set if_all {
          type ifname; flags constant;
          elements = { ${lib.strings.concatStringsSep "," ifAll} }
        }
        ${lib.concatStrings (builtins.map (x: builtins.readFile x) chainFiles)}
      }
    '';
  }

So now I generate nftables native variables and sets, and use it for my firewall chains. Each (more or less) chain lives in their own file.