2 files changed, 7 insertions, 22 deletions

diff --git a/modules/foundation/services/default.nix b/modules/foundation/services/default.nix
index 8136ce0..4c01bd7 100644
--- a/modules/foundation/services/default.nix
+++ b/modules/foundation/services/default.nix
@@ -13,8 +13,8 @@
     driver = "bridge";
     ipv6 = {
       enable = true;
-      subnet = "2001:d0c:1::/48";
-      gateway = "2001:d0c:1::1";
+      subnet = "fc00:d0c:1::/48";
+      gateway = "fc00:d0c:1::1";
     };
   };
 }
diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 7205ec1..b5f1732 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -81,7 +81,7 @@ in
                       Don't set to get a random subnet assigned to you within
                       the subnet defined in `defaultIPv6SubnetPrefix`.
                     '';
-                    example = "2001:d0c:123::/64";
+                    example = "fc00:d0c:123::/64";
                     default = null;
                   };
 
@@ -91,7 +91,7 @@ in
                       IPv6 gateway for this network.
                       Should match the subnet.
                     '';
-                    example = "2001:d0c:123::1";
+                    example = "fc00:d0c:123::1";
                     default = null;
                   };
                 };
@@ -157,7 +157,7 @@ in
           a set subnet.
           Prefix length defined by `defaultIPv6SubnetLength`.
         '';
-        default = "2001:d0c";
+        default = "fc00:d0c";
       };
 
       defaultIPv6SubnetLength = mkOption {
@@ -190,6 +190,8 @@ in
       experimental = true;
       ipv6 = true;
       ip6tables = true;
+      "ip-forward" = true;
+      "firewall-backend" = "nftables";
       fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}";
     };
 
@@ -200,24 +202,7 @@ in
     };
 
     networking.firewall = {
-      # both options should work together to let all packets coming from
-      # docker bridges through.
       trustedInterfaces = [ "br-*" ];
-      extraCommands = ''
-        # allow inbound packets
-        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow outbound to the docker bridge
-        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow forwarding between bridges+external interfaces
-        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
-        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
-
-        # allow return traffic
-        # note: nothing works without this!
-        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-      '';
     };
 
     systemd.services =