2025-01-13 01:52:37 +01:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
virtualisation.incus.enable = true;
|
|
|
|
|
networking = {
|
2026-01-26 23:34:48 +01:00
|
|
|
nftables = {
|
|
|
|
|
enable = true;
|
|
|
|
|
ruleset = ''
|
|
|
|
|
table inet crusader_isolation {
|
|
|
|
|
chain fwd_pre {
|
|
|
|
|
type filter hook forward priority -200; policy accept;
|
2025-07-22 10:25:34 +02:00
|
|
|
|
2026-01-26 23:34:48 +01:00
|
|
|
# Crusader-Netz darf NICHT ins LAN
|
|
|
|
|
iifname "incusbr1" ip daddr 192.168.0.0/16 drop
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-07-22 10:25:34 +02:00
|
|
|
'';
|
2026-01-26 23:34:48 +01:00
|
|
|
}
|
|
|
|
|
firewall = {
|
|
|
|
|
trustedInterfaces = [ "incusbr2" ];
|
|
|
|
|
filterForward = false;
|
2025-07-22 10:25:34 +02:00
|
|
|
|
|
|
|
|
interfaces = {
|
|
|
|
|
incusbr1 = {
|
|
|
|
|
allowedTCPPorts = [ 53 ];
|
2026-01-26 23:34:48 +01:00
|
|
|
allowedUDPPorts = [
|
|
|
|
|
53
|
|
|
|
|
67
|
|
|
|
|
68
|
|
|
|
|
41641 # Tailscale / WireGuard
|
|
|
|
|
];
|
2025-07-22 10:25:34 +02:00
|
|
|
};
|
2026-01-26 23:34:48 +01:00
|
|
|
};
|
|
|
|
|
};
|
2025-07-22 10:25:34 +02:00
|
|
|
|
2026-01-26 23:34:48 +01:00
|
|
|
nat = {
|
|
|
|
|
enable = true;
|
|
|
|
|
externalInterface = "incusbr2";
|
|
|
|
|
internalInterfaces = [ "incusbr1" ];
|
|
|
|
|
internalIPs = [ "10.46.33.0/24" ];
|
2025-01-13 01:52:37 +01:00
|
|
|
};
|
|
|
|
|
};
|
2025-01-13 02:18:00 +01:00
|
|
|
|
|
|
|
|
# Load the kernel volume for lvm thin provisioning
|
2025-01-14 13:10:24 +01:00
|
|
|
boot.kernelModules = [ "dm_thin_pool" "dm_snapshot" ];
|
2025-01-13 01:52:37 +01:00
|
|
|
}
|
|
|
|
|
|
