Make nixos-firewall-tool dependency configurable

[b2ag]

Issue description

The nixos/firewall for iptables depends on nixos-firewall-tool. Not by default as commit linked below says, but mandatory as it's not possible/recommended to remove packages from systemPackages.

Doesn't sound like a big deal until you need to cross-compile two extra versions of LLVM because of that. I didn't even new this tool existed before tracking down exzessiv LLVM compile times. I'm good with using iptables directly.

Feature request

Make nixos-firewall-tool dependency configurable for nixos/firewall for iptables.

Technical details

fa9cdc8

It's not obvious to me why it depends on LLVM in this way, but it's something like ShellCheck -> two versions of ghc -> two versions of LLVM.

[ThinkChaos]

Ping @Janik-Haag

[skeuchel]

The other option is to replace writeShellApplication with writeShellScriptBin in

nixpkgs/pkgs/by-name/ni/nixos-firewall-tool/package.nix

Line 3 in e9c53bd

writeShellApplication {

to remove the build dependency on shellcheck, and rely on something like #353490 instead. It would not remove the dependency, just make it cheaper to build. Also not clear why it would build shellcheck even in a cross-compile scenario. It should come from the nativeBuildInputs.

[b2ag]

I went with the QEMU "my system looks like it speaks ARM even if x86" route. So the whole build process runs through QEMU I guess.

https://nixos.wiki/wiki/NixOS_on_ARM#Compiling_through_binfmt_QEMU