summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/common.nix19
-rw-r--r--modules/foundation/services/default.nix4
-rw-r--r--modules/foundation/services/networks.nix25
-rw-r--r--modules/tunnel/ingress.nix15
4 files changed, 31 insertions, 32 deletions
diff --git a/modules/common.nix b/modules/common.nix
index c363201..9ad59aa 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -28,6 +28,14 @@
 
   networking = {
     hostName = me.name;
+    useDHCP = false;
+    dhcpcd.enable = false;
+    nameservers = [ "1.1.1.1" "1.0.0.1" ];
+
+    nftables = {
+      enable = true;
+      flushRuleset = false;
+    };
 
     firewall = {
       enable = true;
@@ -35,6 +43,15 @@
     };
   };
 
+  systemd.network = {
+    enable = true;
+    wait-online.anyInterface = true;
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault 1;
+  };
+
   services.envfs.enable = true;
 
   virtualisation = {
@@ -86,7 +103,7 @@
     gnupg pinentry-curses age agenix
     inetutils pciutils lshw inxi iw dmidecode
     tcpdump
-    iptables nftables wireguard-tools
+    nftables wireguard-tools
     ffmpeg_7-headless
 
     ripgrep gnumake gdb gcc clang dtc
diff --git a/modules/foundation/services/default.nix b/modules/foundation/services/default.nix
index 8136ce0..4c01bd7 100644
--- a/modules/foundation/services/default.nix
+++ b/modules/foundation/services/default.nix
@@ -13,8 +13,8 @@
     driver = "bridge";
     ipv6 = {
       enable = true;
-      subnet = "2001:d0c:1::/48";
-      gateway = "2001:d0c:1::1";
+      subnet = "fc00:d0c:1::/48";
+      gateway = "fc00:d0c:1::1";
     };
   };
 }
diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 7205ec1..b5f1732 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -81,7 +81,7 @@ in
                       Don't set to get a random subnet assigned to you within
                       the subnet defined in `defaultIPv6SubnetPrefix`.
                     '';
-                    example = "2001:d0c:123::/64";
+                    example = "fc00:d0c:123::/64";
                     default = null;
                   };
 
@@ -91,7 +91,7 @@ in
                       IPv6 gateway for this network.
                       Should match the subnet.
                     '';
-                    example = "2001:d0c:123::1";
+                    example = "fc00:d0c:123::1";
                     default = null;
                   };
                 };
@@ -157,7 +157,7 @@ in
           a set subnet.
           Prefix length defined by `defaultIPv6SubnetLength`.
         '';
-        default = "2001:d0c";
+        default = "fc00:d0c";
       };
 
       defaultIPv6SubnetLength = mkOption {
@@ -190,6 +190,8 @@ in
       experimental = true;
       ipv6 = true;
       ip6tables = true;
+      "ip-forward" = true;
+      "firewall-backend" = "nftables";
       fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}";
     };
 
@@ -200,24 +202,7 @@ in
     };
 
     networking.firewall = {
-      # both options should work together to let all packets coming from
-      # docker bridges through.
       trustedInterfaces = [ "br-*" ];
-      extraCommands = ''
-        # allow inbound packets
-        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow outbound to the docker bridge
-        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow forwarding between bridges+external interfaces
-        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
-        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
-
-        # allow return traffic
-        # note: nothing works without this!
-        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-      '';
     };
 
     systemd.services =
diff --git a/modules/tunnel/ingress.nix b/modules/tunnel/ingress.nix
index 8a6ae3b..1ea1613 100644
--- a/modules/tunnel/ingress.nix
+++ b/modules/tunnel/ingress.nix
@@ -32,10 +32,6 @@ let
   mtu = 1400;
 in
 {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1; # allow ipv4 forwarding
-  };
-
   networking.firewall = {
     allowedUDPPorts = map (x: x.port) paths;
     allowedTCPPorts = map (x: x.port) paths;
@@ -118,12 +114,13 @@ in
   # allow forwarding packets between egress and ingress, but avoid any snat,
   # ip should always keep it's origin form, for correct egress routing.
   # also adapt mss to outgoing mss value, so that we don't shatter packets.
-  networking.nftables.ruleset =
+  networking.nftables.tables.tunnel-forward =
     let
       ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths;
     in
-    ''
-      table inet filter {
+    {
+      family = "inet";
+      content = ''
         chain forward {
           type filter hook forward priority 0; policy drop;
 
@@ -132,8 +129,8 @@ in
           iifname { "${ingressInterfaces}" } oifname "${egressName}" accept
           iifname "${egressName}" oifname { "${ingressInterfaces}" } accept
         }
-      }
-    '';
+      '';
+    };
 
   # sing-box is a vpn client supporting various protocols which will allow us
   # to configure it in whichever way we want to avoid russian dpi.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-26 03:05:30 +0000