nixos-config/machines/shinobu/services/router/nft.nix

{ config, lib, ... }:
let
  cfg = import ./common.nix;

  flattenAttrValues = attrs: lib.flatten (map (v: if lib.isAttrs v then flattenAttrValues v else v) (lib.attrValues attrs));

  mkKeyValue = lib.generators.mkKeyValueDefault
    rec {
      # specifies the generated string for a subset of nix values
      mkValueString = v:
        if lib.isString v then ''"${v}"''
        else if lib.isList v then ''{ ${lib.concatMapStringsSep ", " mkValueString v} }''
        else lib.generators.mkValueStringDefault { } v;
    } " = ";

  defines = lib.concatStringsSep
    "\n"
    (flattenAttrValues
      (lib.mapAttrsRecursive
        (path: value: "define " + (mkKeyValue ''CFG_${lib.concatStringsSep "_" path}'' value))
        cfg));
in
{
  networking.nftables = {
    enable = true;
    ruleset = ''
      ${defines}

      include "${./rules.nft}"
    '';
  };
}