Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

l sync-containers3: configure NAT more directly

Browse Source
This commit is contained in:
lassulus 2023-01-18 20:07:18 +01:00
parent 4d64e17557
commit d9d0fbd040
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lass/3modules/sync-containers3.nix
View File

@ -282,14 +282,19 @@ in {
}) })
(lib.mkIf (cfg.containers != {}) { (lib.mkIf (cfg.containers != {}) {
# networking # networking
# needed because otherwise we lose local dns
environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
systemd.network.networks.ctr0 = { systemd.network.networks.ctr0 = {
name = "ctr0"; name = "ctr0";
address = [ address = [
"10.233.0.1/24" "10.233.0.1/24"
]; ];
networkConfig = { networkConfig = {
IPForward = "yes"; # IPForward = "yes";
IPMasquerade = "both"; # IPMasquerade = "both";
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
DHCPServer = "yes"; DHCPServer = "yes";
}; };
@ -306,6 +311,9 @@ in {
{ predicate = "-i ctr0"; target = "ACCEPT"; } { predicate = "-i ctr0"; target = "ACCEPT"; }
{ predicate = "-o ctr0"; target = "ACCEPT"; } { predicate = "-o ctr0"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; }
];
}) })
(lib.mkIf cfg.inContainer.enable { (lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {}; users.groups.container_sync = {};