stuebinm
0f678c5e80
this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own.
31 lines
679 B
Nix
31 lines
679 B
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
networking.nat.enable = false;
|
|
boot = {
|
|
kernelModules = [ "nf_nat_ftp" ];
|
|
kernel.sysctl = {
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
"net.ipv4.conf.default.forwarding" = true;
|
|
};
|
|
};
|
|
|
|
networking.nftables = {
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
|
table ip nat {
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100
|
|
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100
|
|
iifname lxcbr0 oifname enp35s0 masquerade
|
|
iifname ve-* oifname enp35s0 masquerade
|
|
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|