While not quite what you’re asking, you can achieve the same thing using specialisation.
example configuration.
# configuration.nix
{ ... }: {
imports = [
# given below
./privatezone.nix
];
specialisation.publiczone = {
inheritParentConfig = true;
configuration = { ... }: {
# ...
# firewall rules for publiczone
# ...
# you can include anything (except specialisation) that you'd put in configuration.nix
# even imports
# imports = [ ./publiczoneFirewall.nix ];
};
};
}
# privatezone.nix
({ config, lib, ... }: {
config = lib.mkIf (config.specialisation != {}) {
# ...
# firewall rules for privatezone
# ...
# you cannot use imports here, but other options should be fine
};
})
To use specialisation publiczone,
run nixos-rebuild switch --specialisation publiczone or /run/current-system/specialisation/publiczone/bin/switch-to-configuration switch
AFAIK you can’t switch to non-specialisation without rebooting/rebuilding though.
Thanks for the solutions. @eity Specialization is something I didn’t know about. But looks like it still requires me to manually switch to a different configuration when I’m on public WiFi. Please correct me if I’m wrong.
@p4p4j0hn nixos-nftables-firewall seems to be a good option to achieve what I want. Let me dig into that.
@bitestringnetworking.networkmanager.dispatcherScripts might be another option. According to NetworkManager-dispatcher: NetworkManager Reference Manual you can run some scripts. Variables like CONNECTION_ID are available so we could probably run some nft or iptables commands to open and close ports based on which networks we are connected to.