haccfiles/parsons/nftables.nix

{ config, lib, pkgs, ... }:

{
  networking.firewall.enable = true;
  networking.firewall.logRefusedConnections = false;
  networking.nat.enable = true;

  networking.nftables.enable = true;
  networking.nftables.tables.nat = {
    family = "ip";
    content = ''
      chain prerouting {
        type nat hook prerouting priority -100
        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
      }
      chain postrouting {
        type nat hook postrouting priority 100
        iifname lxcbr0 oifname enp35s0 masquerade
        iifname ve-* oifname enp35s0 masquerade
      }
    '';
  };
}
render nftnat's extraConfig this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own. 2024-02-12 17:17:59 +00:00			`{ config, lib, pkgs, ... }:`

			`{`
use networking.firewall instead of nftables.ruleset 2024-04-07 13:57:51 +00:00			`networking.firewall.enable = true;`
parsons/nftables: don't log refused connections 2024-10-11 12:22:52 +00:00			`networking.firewall.logRefusedConnections = false;`
simplify nat on parsons 2024-04-07 14:25:08 +00:00			`networking.nat.enable = true;`
render nftnat's extraConfig this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own. 2024-02-12 17:17:59 +00:00
use networking.firewall instead of nftables.ruleset 2024-04-07 13:57:51 +00:00			`networking.nftables.enable = true;`
			`networking.nftables.tables.nat = {`
			`family = "ip";`
			`content = ''`
			`chain prerouting {`
			`type nat hook prerouting priority -100`
			`iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22`
format nftables.nix 2024-02-25 16:53:54 +00:00			`}`
use networking.firewall instead of nftables.ruleset 2024-04-07 13:57:51 +00:00			`chain postrouting {`
			`type nat hook postrouting priority 100`
			`iifname lxcbr0 oifname enp35s0 masquerade`
			`iifname ve-* oifname enp35s0 masquerade`
format nftables.nix 2024-02-25 16:53:54 +00:00			`}`
render nftables's ruleset This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again. 2024-02-18 12:39:54 +00:00			`'';`
			`};`
render nftnat's extraConfig this removes usage of the nftnat module by rendering it into a static nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is concerned, hence the slightly off-putting whitespace of the multi-line string. This seems to me to be a better approach than just bundling the module, since we only use it for two things (giving the containers network access & forwarding port 22 to forgejo), which to me doesn't press for using a custom module we can't really maintain on our own. 2024-02-12 17:17:59 +00:00			`}`