From 0f678c5e8014dc3b7ee0a6a18d07e0819062a4a6 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 12 Feb 2024 18:17:59 +0100 Subject: [PATCH] render nftnat's extraConfig this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own. --- parsons/configuration.nix | 5 +---- parsons/forgejo.nix | 5 ----- parsons/nftables.nix | 31 +++++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 parsons/nftables.nix diff --git a/parsons/configuration.nix b/parsons/configuration.nix index aea3587..6cd72ed 100644 --- a/parsons/configuration.nix +++ b/parsons/configuration.nix @@ -6,8 +6,8 @@ ./hardware.nix modules.encboot modules.network.nftables - modules.nftnat modules.nopersist + ./nftables.nix ./nextcloud.nix ./mattermost.nix ./murmur.nix @@ -40,9 +40,6 @@ networking.hostId = "b2867696"; networking.useDHCP = true; networking.nftables.enable = true; - hexchen.nftables.nat.enable = true; - networking.nat.internalInterfaces = ["ve-+"]; - networking.nat.externalInterface = "enp35s0"; networking.hostName = "parsons"; diff --git a/parsons/forgejo.nix b/parsons/forgejo.nix index 5787f79..001bd63 100644 --- a/parsons/forgejo.nix +++ b/parsons/forgejo.nix @@ -96,9 +96,4 @@ proxyPass = "http://${config.containers.gitea.localAddress}:3000"; }; }; - hexchen.nftables.nat.forwardPorts = [{ - ports = [ 22 ]; - destination = "${config.containers.gitea.localAddress}:22"; - proto = "tcp"; - }]; } diff --git a/parsons/nftables.nix b/parsons/nftables.nix new file mode 100644 index 0000000..c2cd19d --- /dev/null +++ b/parsons/nftables.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +{ + networking.nat.enable = false; + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + }; + }; + + networking.nftables = { + enable = true; + + extraConfig = '' +table ip nat { + chain prerouting { + type nat hook prerouting priority -100 + iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22 + } + chain postrouting { + type nat hook postrouting priority 100 + iifname lxcbr0 oifname enp35s0 masquerade +iifname ve-* oifname enp35s0 masquerade + + } +} + ''; + }; +}