host: Fix libvirt's iptables conumdrum

2021-09-12 00:32:18 +02:00
parent 06a4a0fdf2
commit deb88dafa7
3 changed files with 39 additions and 25 deletions
--- a/modules/host.nix
+++ b/modules/host.nix
@@ -7,6 +7,7 @@ config: {
 , hostName
 , wireless ? false
 , wifiInterface ? ""
+, primaryInterface ? ""
 , overlays ? []
 , hardwareImports ? [ "generic" ]
 , programImports ? []
@@ -26,12 +27,19 @@ let
    rev = "35a24648d155843a4d162de98c17b1afd5db51e4";
    ref = "release-21.05";
  };
+  primaryInterfaceWrapper = if wifiInterface != "" && primaryInterface == "" then wifiInterface else primaryInterface;
  baseConfig = {
    # Install home-manager
    imports = [
      "${home-manager}/nixos"
      ./users # For system.singleUser
      (./users + "/${userName}.nix")
+      ((import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) {
+        src = builtins.fetchGit {
+          url = "https://dev.ostylk.de/NixDistro/Config.git";
+          rev = "703d3d727a86c5c45d59608b35e0dea62a3f8486";
+        };
+      }).defaultNix.nixosModules.nftables)
    ] ++ (map (item: ./programs + "/${item}") programImports)
      ++ (map (item: ./hardware + "/${item}.nix") hardwareImports)
      ++ lib.optional wireless ./hardware/wifi.nix
@@ -41,6 +49,30 @@ let
    nixpkgs.overlays = (map (item: lib.getAttr item overlaysSet) overlays);
    
    time.timeZone = "Europe/Berlin";
+    ostylk.nftables = {
+      enable = true;
+
+      tables.firewall = {
+        family = "inet";
+        chains = {
+          non-libvirt.extraConfig = let
+            deviceIPString = lib.concatStringsSep "," (with network; [
+              miku nishimiya ayame tamaki mashu
+            ]);
+          in ''
+            # Accept traffic from my devices
+            ip saddr != { ${deviceIPString} } drop
+          '';
+          input.extraConfig = ''
+            type filter hook input priority 0
+
+            ct state { established, related } accept
+            iif lo accept
+            iif ${primaryInterfaceWrapper} goto non-libvirt
+          '';
+        };
+      };
+    };
    networking = {
      useDHCP = false; # Done by the network manager
      networkmanager.enable = false;
@@ -57,31 +89,6 @@ let
        "${network.tamaki}" = [ "tamaki.local" ];
        "${network.mashu}" = [ "mashu.local" ];
      };
-
-      nat.enable = false;
-      firewall.enable = false;
-      nftables = {
-        enable = true;
-
-        ruleset = let
-          deviceIPString = lib.concatStringsSep "," (with network; [
-            miku nishimiya ayame tamaki mashu
-          ]);
-        in ''
-          table inet firewall {
-            chain input {
-              type filter hook input priority 0
-              policy drop
-
-              ct state { established, related } accept
-              iif lo accept
-
-              # Accept traffic from my devices
-              ip saddr { ${deviceIPString} } accept
-            }
-          }; 
-        '';
-      };
    };

    i18n.defaultLocale = "en_GB.UTF-8";