host: Fix libvirt's iptables conumdrum

2021-09-12 00:32:18 +02:00 · 2021-09-12 00:32:18 +02:00 · deb88dafa7
commit deb88dafa7
parent 06a4a0fdf2
3 changed files with 39 additions and 25 deletions
--- a/hosts/miku.nix
+++ b/hosts/miku.nix
@ -5,6 +5,7 @@ let
 in mkHost config {
  userName = "alexander";
  hostName = "miku";
+  primaryInterface = "enp6s0";
  overlays = [ "nur" "unstable" "simple" "custom" "emacs" ];
  hardwareImports = [ "amdgpu" "amd" ];
  programImports = [
--- a/modules/host.nix
+++ b/modules/host.nix
@ -7,6 +7,7 @@ config: {
 , hostName
 , wireless ? false
 , wifiInterface ? ""
+, primaryInterface ? ""
 , overlays ? []
 , hardwareImports ? [ "generic" ]
 , programImports ? []
@ -26,12 +27,19 @@ let
    rev = "35a24648d155843a4d162de98c17b1afd5db51e4";
    ref = "release-21.05";
  };
+  primaryInterfaceWrapper = if wifiInterface != "" && primaryInterface == "" then wifiInterface else primaryInterface;
  baseConfig = {
    # Install home-manager
    imports = [
      "${home-manager}/nixos"
      ./users # For system.singleUser
      (./users + "/${userName}.nix")
+      ((import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) {
+        src = builtins.fetchGit {
+          url = "https://dev.ostylk.de/NixDistro/Config.git";
+          rev = "703d3d727a86c5c45d59608b35e0dea62a3f8486";
+        };
+      }).defaultNix.nixosModules.nftables)
    ] ++ (map (item: ./programs + "/${item}") programImports)
      ++ (map (item: ./hardware + "/${item}.nix") hardwareImports)
      ++ lib.optional wireless ./hardware/wifi.nix
@ -41,6 +49,30 @@ let
    nixpkgs.overlays = (map (item: lib.getAttr item overlaysSet) overlays);
    
    time.timeZone = "Europe/Berlin";
+    ostylk.nftables = {
+      enable = true;
+
+      tables.firewall = {
+        family = "inet";
+        chains = {
+          non-libvirt.extraConfig = let
+            deviceIPString = lib.concatStringsSep "," (with network; [
+              miku nishimiya ayame tamaki mashu
+            ]);
+          in ''
+            # Accept traffic from my devices
+            ip saddr != { ${deviceIPString} } drop
+          '';
+          input.extraConfig = ''
+            type filter hook input priority 0
+
+            ct state { established, related } accept
+            iif lo accept
+            iif ${primaryInterfaceWrapper} goto non-libvirt
+          '';
+        };
+      };
+    };
    networking = {
      useDHCP = false; # Done by the network manager
      networkmanager.enable = false;
@ -57,31 +89,6 @@ let
        "${network.tamaki}" = [ "tamaki.local" ];
        "${network.mashu}" = [ "mashu.local" ];
      };
-
-      nat.enable = false;
-      firewall.enable = false;
-      nftables = {
-        enable = true;
-
-        ruleset = let
-          deviceIPString = lib.concatStringsSep "," (with network; [
-            miku nishimiya ayame tamaki mashu
-          ]);
-        in ''
-          table inet firewall {
-            chain input {
-              type filter hook input priority 0
-              policy drop
-
-              ct state { established, related } accept
-              iif lo accept
-
-              # Accept traffic from my devices
-              ip saddr { ${deviceIPString} } accept
-            }
-          }; 
-        '';
-      };
    };

    i18n.defaultLocale = "en_GB.UTF-8";
--- a/overlays/simple.nix
+++ b/overlays/simple.nix
@ -38,4 +38,10 @@ in {
      parallel-n64
    ];
  });
+
+  libvirt = prev.libvirt.override {
+    # NOTE: This to prevent libvirt from using iptables and loading
+    #       ip_tables and the likes
+    iptables = prev.iptables-nftables-compat;
+  };
 }