render nftnat's extraConfig

this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own.
2024-02-12 18:17:59 +01:00 · 2024-02-12 18:17:59 +01:00 · 0f678c5e80
commit 0f678c5e80
parent 0140b7a9fb
3 changed files with 32 additions and 9 deletions
--- a/parsons/configuration.nix
+++ b/parsons/configuration.nix
@ -6,8 +6,8 @@
    ./hardware.nix
    modules.encboot
    modules.network.nftables
-    modules.nftnat
    modules.nopersist
+    ./nftables.nix
    ./nextcloud.nix
    ./mattermost.nix
    ./murmur.nix
@ -40,9 +40,6 @@
  networking.hostId = "b2867696";
  networking.useDHCP = true;
  networking.nftables.enable = true;
-  hexchen.nftables.nat.enable = true;
-  networking.nat.internalInterfaces = ["ve-+"];
-  networking.nat.externalInterface = "enp35s0";

  networking.hostName = "parsons";

--- a/parsons/forgejo.nix
+++ b/parsons/forgejo.nix
@ -96,9 +96,4 @@
      proxyPass = "http://${config.containers.gitea.localAddress}:3000";
    };
  };
-  hexchen.nftables.nat.forwardPorts = [{
-    ports = [ 22 ];
-    destination = "${config.containers.gitea.localAddress}:22";
-    proto = "tcp";
-  }];
 }
--- a/parsons/nftables.nix
+++ b/parsons/nftables.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.nat.enable = false;
+    boot = {
+      kernelModules = [ "nf_nat_ftp" ];
+      kernel.sysctl = {
+        "net.ipv4.conf.all.forwarding" =  true;
+        "net.ipv4.conf.default.forwarding" = true;
+      };
+    };
+
+    networking.nftables = {
+      enable = true;
+
+      extraConfig = ''
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority -100
+    iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
+  }
+  chain postrouting {
+    type nat hook postrouting priority 100
+    iifname lxcbr0 oifname enp35s0 masquerade
+iifname ve-* oifname enp35s0 masquerade
+    
+  }
+}
+      '';
+    };
+}