How can I append a port to allowedTCPPorts?

famadorian · November 25, 2023, 8:25pm

Instead of defining allowedTCPPorts in one place, I’d like to add ports to it multiple places in the configuration.nix file, so that I add ports next services, so that it’s easier to read.

uep · November 26, 2023, 12:08am

You can just set them, if they’re in separate modules, and the module system will take care of concatenating them for you.

In the same module (ie a single configuration.nix file) you’ll need to assemble the list from parts. This isn’t particularly simple, at least not in the way you might be thinking of from other languages, because of the way nix works (bindings aren’t mutable). There are ways to do it, but it ends up with more syntax that maybe obscures the intent.

So, the actual answer is maybe to think about structure more broadly, and:

in some cases, look for services.* or programs.* modules that will enable the firewall for you, rather than just adding the package and manual config
look to split up your config into smaller modules that are self-contained to the one subject for all aspects, not just firewall ports.

ppenguin · November 27, 2023, 11:28am

@famadorian adding to the info of @uep , I for instance have split out most specific config items (e.g. services.) to one or more external nix files that are in configuration.nix’s imports = [ ... ]. In one such file that uses a module that doesn’t handle firewall ports, like services.nomad, I then put networking.firewall.interfaces."wg_nomad" = { allowedTCPPorts = [ ... ]; ... }; in there. Due to nix’s module attribute auto-merging behaviour, this should bring a convenient UX/DX:

it refers to an interface and will give you build time errors if your config is incosistent
if you switch off the service by not importing it from configuration.nix your firewall will automatically be adapted as well

famadorian · February 8, 2024, 2:02pm

Yeah, sorry, forgot to say thanks and mark it as solved, here; thanks again;)