hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity

render nftnat's extraConfig

Browse source 
this removes usage of the nftnat module by rendering it into a static
nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is
concerned, hence the slightly off-putting whitespace of the multi-line
string.

This seems to me to be a better approach than just bundling the module,
since we only use it for two things (giving the containers network
access & forwarding port 22 to forgejo), which to me doesn't press for
using a custom module we can't really maintain on our own.
This commit is contained in:
stuebinm 2024-02-12 18:17:59 +01:00
parent 0140b7a9fb
commit 0f678c5e80
3 changed files with 32 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parsons/configuration.nix
View file

@ -6,8 +6,8 @@
./hardware.nix ./hardware.nix
modules.encboot modules.encboot
modules.network.nftables modules.network.nftables
modules.nftnat
modules.nopersist modules.nopersist
./nftables.nix
./nextcloud.nix ./nextcloud.nix
./mattermost.nix ./mattermost.nix
./murmur.nix ./murmur.nix
@ -40,9 +40,6 @@
networking.hostId = "b2867696"; networking.hostId = "b2867696";
networking.useDHCP = true; networking.useDHCP = true;
networking.nftables.enable = true; networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.hostName = "parsons"; networking.hostName = "parsons";

5
parsons/forgejo.nix
View file

@ -96,9 +96,4 @@
proxyPass = "http://${config.containers.gitea.localAddress}:3000"; proxyPass = "http://${config.containers.gitea.localAddress}:3000";
}; };
}; };
hexchen.nftables.nat.forwardPorts = [{
ports = [ 22 ];
destination = "${config.containers.gitea.localAddress}:22";
proto = "tcp";
}];
} }

31
parsons/nftables.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
{
networking.nat.enable = false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
};
networking.nftables = {
enable = true;
extraConfig = ''
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
}
'';
};
}