From caa59bf50a430d2ba18ff4d428c267561b686072 Mon Sep 17 00:00:00 2001
From: Sizhe Zhao <prc.zhao@outlook.com>
Date: Sun, 22 Jun 2025 14:54:51 +0800
Subject: [PATCH] networking.applicationFirewall: init

---
 modules/module-list.nix                    |  1 +
 modules/networking/applicationFirewall.nix | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 modules/networking/applicationFirewall.nix

diff --git a/modules/module-list.nix b/modules/module-list.nix
index e31cf24..79c877c 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -49,6 +49,7 @@
   ./system/version.nix
   ./time
   ./networking
+  ./networking/applicationFirewall.nix
   ./nix
   ./nix/linux-builder.nix
   ./nix/nix-darwin.nix
diff --git a/modules/networking/applicationFirewall.nix b/modules/networking/applicationFirewall.nix
new file mode 100644
index 0000000..fc23121
--- /dev/null
+++ b/modules/networking/applicationFirewall.nix
@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+let
+  cfg = config.networking.applicationFirewall;
+
+  socketfilterfw =
+    option: value:
+    lib.concatStringsSep " " [
+      "/usr/libexec/ApplicationFirewall/socketfilterfw"
+      "--${option}"
+      (if value then "on" else "off")
+    ];
+in
+{
+  meta.maintainers = [
+    (lib.maintainers.prince213 or "prince213")
+  ];
+
+  options.networking.applicationFirewall = {
+    enable = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to enable application firewall.";
+    };
+    blockAllIncoming = lib.mkEnableOption "blocking all incoming connections";
+    allowSigned = lib.mkEnableOption "built-in software to receive incoming connections" // {
+      default = true;
+    };
+    allowSignedApp =
+      lib.mkEnableOption "downloaded signed software to receive incoming connections"
+      // {
+        default = true;
+      };
+    enableStealthMode = lib.mkEnableOption "stealth mode";
+  };
+
+  config = {
+    system.activationScripts.networking.text = ''
+      echo "configuring application firewall..." >&2
+
+      ${lib.optionalString (cfg.enable != null) (socketfilterfw "setglobalstate" cfg.enable)}
+      ${lib.optionalString (cfg.enable == true) (socketfilterfw "setblockall" cfg.blockAllIncoming)}
+      ${socketfilterfw "setallowsigned" cfg.allowSigned}
+      ${socketfilterfw "setallowsignedapp" cfg.allowSignedApp}
+      ${socketfilterfw "setstealthmode" cfg.enableStealthMode}
+    '';
+  };
+}