haccfiles/parsons/nftables.nix

{ config, lib, pkgs, ... }:

{
  networking.nat.enable = false;
    boot = {
      kernelModules = [ "nf_nat_ftp" ];
      kernel.sysctl = {
        "net.ipv4.conf.all.forwarding" =  true;
        "net.ipv4.conf.default.forwarding" = true;
      };
    };

    networking.nftables = {
      enable = true;

      extraConfig = ''
table ip nat {
  chain prerouting {
    type nat hook prerouting priority -100
    iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22
  }
  chain postrouting {
    type nat hook postrouting priority 100
    iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
    
  }
}
      '';
    };
}
render nftnat's extraConfig this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own. 2024-02-12 17:17:59 +00:00			`{ config, lib, pkgs, ... }:`

			`{`
			`networking.nat.enable = false;`
			`boot = {`
			`kernelModules = [ "nf_nat_ftp" ];`
			`kernel.sysctl = {`
			`"net.ipv4.conf.all.forwarding" = true;`
			`"net.ipv4.conf.default.forwarding" = true;`
			`};`
			`};`

			`networking.nftables = {`
			`enable = true;`

			`extraConfig = ''`
			`table ip nat {`
			`chain prerouting {`
			`type nat hook prerouting priority -100`
			`iifname enp35s0 tcp dport { 22 } dnat ${config.containers.gitea.localAddress}:22`
			`}`
			`chain postrouting {`
			`type nat hook postrouting priority 100`
			`iifname lxcbr0 oifname enp35s0 masquerade`
			`iifname ve-* oifname enp35s0 masquerade`

			`}`
			`}`
			`'';`
			`};`
			`}`