From 56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64 Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Fri, 24 Apr 2026 23:35:19 +0200
Subject: Migrate fully to systemd-networkd and nftables

Signed-off-by: Mel <mel@rnrd.eu>
---
 modules/foundation/services/networks.nix | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

(limited to 'modules/foundation/services/networks.nix')

diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 7205ec1..b5f1732 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -81,7 +81,7 @@ in
                       Don't set to get a random subnet assigned to you within
                       the subnet defined in `defaultIPv6SubnetPrefix`.
                     '';
-                    example = "2001:d0c:123::/64";
+                    example = "fc00:d0c:123::/64";
                     default = null;
                   };
 
@@ -91,7 +91,7 @@ in
                       IPv6 gateway for this network.
                       Should match the subnet.
                     '';
-                    example = "2001:d0c:123::1";
+                    example = "fc00:d0c:123::1";
                     default = null;
                   };
                 };
@@ -157,7 +157,7 @@ in
           a set subnet.
           Prefix length defined by `defaultIPv6SubnetLength`.
         '';
-        default = "2001:d0c";
+        default = "fc00:d0c";
       };
 
       defaultIPv6SubnetLength = mkOption {
@@ -190,6 +190,8 @@ in
       experimental = true;
       ipv6 = true;
       ip6tables = true;
+      "ip-forward" = true;
+      "firewall-backend" = "nftables";
       fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}";
     };
 
@@ -200,24 +202,7 @@ in
     };
 
     networking.firewall = {
-      # both options should work together to let all packets coming from
-      # docker bridges through.
       trustedInterfaces = [ "br-*" ];
-      extraCommands = ''
-        # allow inbound packets
-        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow outbound to the docker bridge
-        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
-
-        # allow forwarding between bridges+external interfaces
-        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
-        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
-
-        # allow return traffic
-        # note: nothing works without this!
-        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-      '';
     };
 
     systemd.services =
-- 
cgit 1.4.1