From 178a96f99be69a173669254295d5a06732e7a906 Mon Sep 17 00:00:00 2001
From: Peter Hoeg <peter@speartail.com>
Date: Sun, 5 Feb 2017 15:36:41 +0800
Subject: [PATCH] firewalld: init at 0.4.4.4

Includes systemd module.
---
 nixos/modules/module-list.nix                 |  1 +
 .../modules/services/networking/firewalld.nix | 53 +++++++++++
 pkgs/os-specific/linux/firewalld/default.nix  | 94 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  2 +
 4 files changed, 150 insertions(+)
 create mode 100644 nixos/modules/services/networking/firewalld.nix
 create mode 100644 pkgs/os-specific/linux/firewalld/default.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 5e6b42dea543..1eef781a31df 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -437,6 +437,7 @@
   ./services/networking/firefox/sync-server.nix
   ./services/networking/fireqos.nix
   ./services/networking/firewall.nix
+  ./services/networking/firewalld.nix
   ./services/networking/flannel.nix
   ./services/networking/flashpolicyd.nix
   ./services/networking/freenet.nix
diff --git a/nixos/modules/services/networking/firewalld.nix b/nixos/modules/services/networking/firewalld.nix
new file mode 100644
index 000000000000..02d694af3907
--- /dev/null
+++ b/nixos/modules/services/networking/firewalld.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.networking.firewalld;
+
+in {
+  ###### interface
+
+  options = {
+    networking.firewalld = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          ''
+            Whether to enable firewalld.  firewalld is a high-level Linux-based packet
+            filtering framework intended for desktop use cases.
+
+            This conflicts with the standard networking firewall, so make sure to
+            disable it before using firewalld.
+          '';
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = config.networking.firewall.enable == false;
+      message = "You can not use firewalld with services.networking.firewall.";
+    }];
+
+    environment.etc = [
+    { source = "${pkgs.firewalld}/etc/firewalld";
+      target = "firewalld"; }
+    ];
+
+    services = {
+      dbus.packages = with pkgs; [ firewalld ];
+    };
+
+    systemd = {
+      packages = with pkgs; [ firewalld ];
+
+      services.firewalld = {
+        wantedBy = [ "multi-user.target" ];
+      };
+    };
+  };
+}
diff --git a/pkgs/os-specific/linux/firewalld/default.nix b/pkgs/os-specific/linux/firewalld/default.nix
new file mode 100644
index 000000000000..6b2e58038759
--- /dev/null
+++ b/pkgs/os-specific/linux/firewalld/default.nix
@@ -0,0 +1,94 @@
+{ stdenv, lib, fetchFromGitHub
+, autoreconfHook, docbook_xml_dtd_42, docbook_xsl, gettext, python3Packages
+, intltool, libxslt, dbus, pkgconfig, iptables, ebtables, ipset, glib, kmod
+, withKde ? true, plasma-nm ? null
+}:
+
+let
+  slip = python3Packages.buildPythonPackage rec {
+    name = "python-slip-${version}";
+    version = "0.6.4";
+
+    src = fetchFromGitHub {
+      owner  = "nphilipp";
+      repo   = "python-slip";
+      rev    = name;
+      sha256 = "07zyxy62738dzsvifm1241k0zx5l3xl6s5yfhyn88wc59fa8p570";
+    };
+
+    doCheck = false; # no tests
+
+    buildPhase = ''
+      runHook preBuild
+      export PREFIX=$out
+      make
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      make install
+      runHook postInstall
+    '';
+
+  };
+
+in python3Packages.buildPythonApplication rec {
+  name = "firewalld-${version}";
+  version = "0.4.4.4";
+
+  src = fetchFromGitHub {
+    owner  = "t-woerner";
+    repo   = "firewalld";
+    rev    = "v${version}";
+    sha256 = "048flfcsi3ibp124k01hhf9bnbpyi3b92jgc96fhfvw6ns2l48qc";
+  };
+
+  doCheck = false; # no tests
+
+  propagatedBuildInputs = with python3Packages; [
+    dbus
+    decorator
+    pygobject3
+    pyqt5
+    six
+    slip
+  ];
+
+  buildInputs = [
+    autoreconfHook pkgconfig
+    docbook_xml_dtd_42 docbook_xsl gettext intltool libxslt
+    dbus ebtables glib ipset iptables
+  ];
+
+  preConfigure = ''
+    patchShebangs .
+
+    substituteInPlace doc/xml/*.xml \
+      --replace "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" "${docbook_xml_dtd_42}/xml/dtd/docbook/docbookx.dtd"
+
+    substituteInPlace src/firewall-applet \
+      --replace /usr/bin/kde5-nm-connection-editor ${lib.getBin plasma-nm}/bin/kde5-nm-connection-editor
+
+    export MODINFO=${kmod}/bin/modinfo
+    export MODPROBE=${kmod}/bin/modprobe
+    export RMMOD=${kmod}/bin/rmmod
+  '';
+
+  buildPhase = ''
+    ./autogen.sh --prefix=$out
+    make
+  '';
+
+  installPhase = ''
+    make install $out
+    cp -r config/{helpers,icmptypes,ipsets,services,zones} $out/etc/firewalld
+  '';
+
+  meta = with lib; {
+    description = "A service daemon with D-Bus interface";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ peterhoeg ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 565b17984ced..037e133a7d0d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -12212,6 +12212,8 @@ with pkgs;
 
   firejail = callPackage ../os-specific/linux/firejail {};
 
+  firewalld = callPackage ../os-specific/linux/firewalld {};
+
   fnotifystat = callPackage ../os-specific/linux/fnotifystat { };
 
   forkstat = callPackage ../os-specific/linux/forkstat { };