## Copyright (C) 2015 Jason Mehring <nrgaway@gmail.com>
## Copyright (C) 2015 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## License: GPL-2+

#### meta start
#### project Whonix
#### category networking and firewall
#### description
## Runs <code>/usr/libexec/whonix-firewall/enable-firewall</code>.
##
## On Whonix-Gateway or Whonix-Workstation (if
## <code>/usr/share/anon-gw-base-files/gateway</code> or
## <code>/usr/share/anon-ws-base-files/workstation</code> exists),
## loads Whonix Firewall.
##
## (Does nothing inside Qubes TemplateVMs.)
##
## If loading Whonix Firewall fails, creates
## <code>/run/anon-firewall/failed.status</code>.
#### meta end

[Unit]
Description=Whonix firewall loader
Documentation=https://www.whonix.org/wiki/Whonix_Firewall

DefaultDependencies=no

Before=network-pre.target
Wants=network-pre.target

## Preventing race condition with
## /etc/xdg/autostart/qubes-whonixsetup.desktop.
## TODO: performance
## Not the most efficient / clean solution.
## https://forums.whonix.org/t/fix-etc-xdg-autostart-vs-systemd-race-condition/18979
Before=qubes-gui-agent.service

## For /etc/whonix_firewall.d and Qubes /rw/whonix_firewall.d.
After=local-fs.target

## Why is this needed?
After=qubes-mount-dirs.service

## Legacy.
After=qubes-mount-home.service

## For /run/qubes/this-is-* files.
After=qubes-sysinit.target

## LKRG.
After=systemd-modules-load.service

Before=shutdown.target
Conflicts=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/whonix-firewall/enable-firewall

[Install]
WantedBy=sysinit.target

## Legacy.
Alias=qubes-whonix-firewall.service