finalize netconfig simplification

2026-01-26 23:34:48 +01:00
parent 03a75c33e9
commit 307db6c3a2
4 changed files with 33 additions and 244 deletions
--- a/incus.nix
+++ b/incus.nix
@@ -3,33 +3,41 @@
 {
  virtualisation.incus.enable = true;
  networking = {
-    nftables.enable = true;
-    firewall = {
-      trustedInterfaces = [ "incusbr1" "incusbr2" ];
-      filterForward = true;
+    nftables = {
+      enable = true;
+      ruleset = ''
+       table inet crusader_isolation {
+        chain fwd_pre {
+          type filter hook forward priority -200; policy accept;

-      extraForwardRules = ''
-        # if crusader tries to go to varian or truenas, BLOCK
-        iifname "incusbr1" oifname "incusbr0" drop
-        iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop
+          # Crusader-Netz darf NICHT ins LAN
+          iifname "incusbr1" ip daddr 192.168.0.0/16 drop
+        }
+       }
      '';
+    }
+    firewall = {
+      trustedInterfaces = [ "incusbr2" ];
+      filterForward = false;

      interfaces = {
-        incusbr0 = {
-          allowedTCPPorts = [ 53 67 ];
-          allowedUDPPorts = [ 53 67 ];
-        };
        incusbr1 = {
          allowedTCPPorts = [ 53 ];
-          allowedUDPPorts = [ 53 67 68 ];
+          allowedUDPPorts = [
+            53
+            67
+            68
+            41641  # Tailscale / WireGuard
+          ];
        };
-        incusbr2 = {
-          allowedTCPPorts = [ 53 ];
-          allowedUDPPorts = [ 53 67 68 ];
-        };
-      };
+      }; 
+    };

-      
+    nat = {
+      enable = true;
+      externalInterface = "incusbr2";
+      internalInterfaces = [ "incusbr1" ];
+      internalIPs = [ "10.46.33.0/24" ];
    };
  };