networking.applicationFirewall: init

modules/module-list.nix

@@ -49,6 +49,7 @@
   ./system/version.nix
   ./time
   ./networking
+  ./networking/applicationFirewall.nix
   ./nix
   ./nix/linux-builder.nix
   ./nix/nix-darwin.nix

modules/networking/applicationFirewall.nix

@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+let
+  cfg = config.networking.applicationFirewall;
+
+  socketfilterfw =
+    option: value:
+    lib.concatStringsSep " " [
+      "/usr/libexec/ApplicationFirewall/socketfilterfw"
+      "--${option}"
+      (if value then "on" else "off")
+    ];
+in
+{
+  meta.maintainers = [
+    (lib.maintainers.prince213 or "prince213")
+  ];
+
+  options.networking.applicationFirewall = {
+    enable = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to enable application firewall.";
+    };
+    blockAllIncoming = lib.mkEnableOption "blocking all incoming connections";
+    allowSigned = lib.mkEnableOption "built-in software to receive incoming connections" // {
+      default = true;
+    };
+    allowSignedApp =
+      lib.mkEnableOption "downloaded signed software to receive incoming connections"
+      // {
+        default = true;
+      };
+    enableStealthMode = lib.mkEnableOption "stealth mode";
+  };
+
+  config = {
+    system.activationScripts.networking.text = ''
+      echo "configuring application firewall..." >&2
+
+      ${lib.optionalString (cfg.enable != null) (socketfilterfw "setglobalstate" cfg.enable)}
+      ${lib.optionalString (cfg.enable == true) (socketfilterfw "setblockall" cfg.blockAllIncoming)}
+      ${socketfilterfw "setallowsigned" cfg.allowSigned}
+      ${socketfilterfw "setallowsignedapp" cfg.allowSignedApp}
+      ${socketfilterfw "setstealthmode" cfg.enableStealthMode}
+    '';
+  };
+}