feat: make firewall piercing conditional

modules/fs/default.nix

@@ -19,11 +19,14 @@ let
       "net.core.somaxconn" = "512";
     };
 
-    networking = {
-      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
-      firewall.allowedTCPPorts = [ 111 2049 ];
-      firewall.allowedUDPPorts = [ 111 2049 24007 24008 ];
-    };
+    networking =
+      if cfg.nfs.openFirewall then
+        {
+          firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
+          firewall.allowedTCPPorts = [ 111 2049 ];
+          firewall.allowedUDPPorts = [ 111 2049 24007 24008 ];
+        }
+      else {};
 
     environment.systemPackages = with pkgs; [
       nfs-utils
@@ -54,6 +57,15 @@ in {
 
     nfs = {
       enable = mkEnableOption "Enable nfs fileserver";
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to open the required ports in the firewall.
+        '';
+      };
+
       exports = mkOption {
         type = types.str;
         default = "";

modules/hpc/slurm.nix

@@ -63,7 +63,8 @@ let
       extraConfigPaths = [ slurmKey ];
     };
 
-    networking.firewall.allowedTCPPorts = [ 6818 ];
+    networking.firewall.allowedTCPPorts =
+      if cfg.openFirewall then [ 6818 ] else [];
 
     nixpkgs.overlays = [ slurm-ucx ];
   };
@@ -128,7 +129,8 @@ let
       # storagePass  = cfg.storagePass;
     };
 
-    networking.firewall.allowedTCPPorts = [ 6819 ];
+    networking.firewall.allowedTCPPorts =
+      if cfg.openFirewall then [ 6819 ] else [];
   };
 
   slurmClient = {
@@ -288,6 +290,14 @@ in
       default = emptyKey;
       description = ''File containing the slurm.key to be used for auth/slurm.'';
     };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to open the required ports in the firewall.
+      '';
+    };
   };
 
   config = mkIf cfg.enable (