host: Fix libvirt's iptables conumdrum

hosts/miku.nix

@@ -5,6 +5,7 @@ let
 in mkHost config {
   userName = "alexander";
   hostName = "miku";
+  primaryInterface = "enp6s0";
   overlays = [ "nur" "unstable" "simple" "custom" "emacs" ];
   hardwareImports = [ "amdgpu" "amd" ];
   programImports = [

modules/host.nix

@@ -7,6 +7,7 @@ config: {
 , hostName
 , wireless ? false
 , wifiInterface ? ""
+, primaryInterface ? ""
 , overlays ? []
 , hardwareImports ? [ "generic" ]
 , programImports ? []
@@ -26,12 +27,19 @@ let
     rev = "35a24648d155843a4d162de98c17b1afd5db51e4";
     ref = "release-21.05";
   };
+  primaryInterfaceWrapper = if wifiInterface != "" && primaryInterface == "" then wifiInterface else primaryInterface;
   baseConfig = {
     # Install home-manager
     imports = [
       "${home-manager}/nixos"
       ./users # For system.singleUser
       (./users + "/${userName}.nix")
+      ((import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) {
+        src = builtins.fetchGit {
+          url = "https://dev.ostylk.de/NixDistro/Config.git";
+          rev = "703d3d727a86c5c45d59608b35e0dea62a3f8486";
+        };
+      }).defaultNix.nixosModules.nftables)
     ] ++ (map (item: ./programs + "/${item}") programImports)
       ++ (map (item: ./hardware + "/${item}.nix") hardwareImports)
       ++ lib.optional wireless ./hardware/wifi.nix
@@ -41,6 +49,30 @@ let
     nixpkgs.overlays = (map (item: lib.getAttr item overlaysSet) overlays);
     
     time.timeZone = "Europe/Berlin";
+    ostylk.nftables = {
+      enable = true;
+
+      tables.firewall = {
+        family = "inet";
+        chains = {
+          non-libvirt.extraConfig = let
+            deviceIPString = lib.concatStringsSep "," (with network; [
+              miku nishimiya ayame tamaki mashu
+            ]);
+          in ''
+            # Accept traffic from my devices
+            ip saddr != { ${deviceIPString} } drop
+          '';
+          input.extraConfig = ''
+            type filter hook input priority 0
+
+            ct state { established, related } accept
+            iif lo accept
+            iif ${primaryInterfaceWrapper} goto non-libvirt
+          '';
+        };
+      };
+    };
     networking = {
       useDHCP = false; # Done by the network manager
       networkmanager.enable = false;
@@ -57,31 +89,6 @@ let
         "${network.tamaki}" = [ "tamaki.local" ];
         "${network.mashu}" = [ "mashu.local" ];
       };
-
-      nat.enable = false;
-      firewall.enable = false;
-      nftables = {
-        enable = true;
-
-        ruleset = let
-          deviceIPString = lib.concatStringsSep "," (with network; [
-            miku nishimiya ayame tamaki mashu
-          ]);
-        in ''
-          table inet firewall {
-            chain input {
-              type filter hook input priority 0
-              policy drop
-
-              ct state { established, related } accept
-              iif lo accept
-
-              # Accept traffic from my devices
-              ip saddr { ${deviceIPString} } accept
-            }
-          }; 
-        '';
-      };
     };
 
     i18n.defaultLocale = "en_GB.UTF-8";

overlays/simple.nix

@@ -38,4 +38,10 @@ in {
       parallel-n64
     ];
   });
+
+  libvirt = prev.libvirt.override {
+    # NOTE: This to prevent libvirt from using iptables and loading
+    #       ip_tables and the likes
+    iptables = prev.iptables-nftables-compat;
+  };
 }