From deb88dafa7452c97a8d3cde45a0177f8558e554d Mon Sep 17 00:00:00 2001 From: "Alexander \"PapaTutuWawa" Date: Sun, 12 Sep 2021 00:32:18 +0200 Subject: [PATCH] host: Fix libvirt's iptables conumdrum --- hosts/miku.nix | 1 + modules/host.nix | 57 +++++++++++++++++++++++++-------------------- overlays/simple.nix | 6 +++++ 3 files changed, 39 insertions(+), 25 deletions(-) diff --git a/hosts/miku.nix b/hosts/miku.nix index 91d60af..20efc2a 100644 --- a/hosts/miku.nix +++ b/hosts/miku.nix @@ -5,6 +5,7 @@ let in mkHost config { userName = "alexander"; hostName = "miku"; + primaryInterface = "enp6s0"; overlays = [ "nur" "unstable" "simple" "custom" "emacs" ]; hardwareImports = [ "amdgpu" "amd" ]; programImports = [ diff --git a/modules/host.nix b/modules/host.nix index fa8ea84..e3437c8 100644 --- a/modules/host.nix +++ b/modules/host.nix @@ -7,6 +7,7 @@ config: { , hostName , wireless ? false , wifiInterface ? "" +, primaryInterface ? "" , overlays ? [] , hardwareImports ? [ "generic" ] , programImports ? [] @@ -26,12 +27,19 @@ let rev = "35a24648d155843a4d162de98c17b1afd5db51e4"; ref = "release-21.05"; }; + primaryInterfaceWrapper = if wifiInterface != "" && primaryInterface == "" then wifiInterface else primaryInterface; baseConfig = { # Install home-manager imports = [ "${home-manager}/nixos" ./users # For system.singleUser (./users + "/${userName}.nix") + ((import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) { + src = builtins.fetchGit { + url = "https://dev.ostylk.de/NixDistro/Config.git"; + rev = "703d3d727a86c5c45d59608b35e0dea62a3f8486"; + }; + }).defaultNix.nixosModules.nftables) ] ++ (map (item: ./programs + "/${item}") programImports) ++ (map (item: ./hardware + "/${item}.nix") hardwareImports) ++ lib.optional wireless ./hardware/wifi.nix @@ -41,6 +49,30 @@ let nixpkgs.overlays = (map (item: lib.getAttr item overlaysSet) overlays); time.timeZone = "Europe/Berlin"; + ostylk.nftables = { + enable = true; + + tables.firewall = { + family = "inet"; + chains = { + non-libvirt.extraConfig = let + deviceIPString = lib.concatStringsSep "," (with network; [ + miku nishimiya ayame tamaki mashu + ]); + in '' + # Accept traffic from my devices + ip saddr != { ${deviceIPString} } drop + ''; + input.extraConfig = '' + type filter hook input priority 0 + + ct state { established, related } accept + iif lo accept + iif ${primaryInterfaceWrapper} goto non-libvirt + ''; + }; + }; + }; networking = { useDHCP = false; # Done by the network manager networkmanager.enable = false; @@ -57,31 +89,6 @@ let "${network.tamaki}" = [ "tamaki.local" ]; "${network.mashu}" = [ "mashu.local" ]; }; - - nat.enable = false; - firewall.enable = false; - nftables = { - enable = true; - - ruleset = let - deviceIPString = lib.concatStringsSep "," (with network; [ - miku nishimiya ayame tamaki mashu - ]); - in '' - table inet firewall { - chain input { - type filter hook input priority 0 - policy drop - - ct state { established, related } accept - iif lo accept - - # Accept traffic from my devices - ip saddr { ${deviceIPString} } accept - } - }; - ''; - }; }; i18n.defaultLocale = "en_GB.UTF-8"; diff --git a/overlays/simple.nix b/overlays/simple.nix index d85d8e3..57b5d1a 100644 --- a/overlays/simple.nix +++ b/overlays/simple.nix @@ -38,4 +38,10 @@ in { parallel-n64 ]; }); + + libvirt = prev.libvirt.override { + # NOTE: This to prevent libvirt from using iptables and loading + # ip_tables and the likes + iptables = prev.iptables-nftables-compat; + }; }