leonetienne/stormwind-nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

create l2 bridge incusbr2

Browse Source
This commit is contained in:
RootHost-Stormwind
2026-01-26 15:36:02 +01:00
parent 949f8cf77a
commit 62307984f5
2 changed files with 52 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
incus.nix
View File

@@ -5,14 +5,13 @@
networking = {
nftables.enable = true;
firewall = {
enable = true;
trustedInterfaces = [ "incusbr1" ];
filterForward = true;
extraForwardRules = ''
# if crusader tries to go to varian or truenas, BLOCK
iifname "incusbr1" oifname "incusbr0" drop
iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop
iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop
'';
interfaces = {

86
networking.nix
View File

@@ -4,13 +4,14 @@
networking = {
hostName = "Stormwind";
networkmanager.enable = false;
defaultGateway = "192.168.0.1";
nameservers = [ "192.168.0.1" "1.1.1.1" ];
firewall = {
allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2223 990 989 445 111 2049 32765 32768 20048 ];
enable = true;
allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ];
allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
trustedInterfaces = [ "incusbr0" ];
trustedInterfaces = [ "incusbr0" "incusbr2" ];
};
nftables.ruleset = ''
@@ -21,42 +22,42 @@
ct state established,related accept
# allow new+established VMInternet
iifname "incusbr0" oifname "enp4s0" ct state new,established accept
iifname "incusbr1" oifname "enp4s0" ct state new,established accept
iifname "incusbr0" oifname "incusbr2" ct state new,established accept
iifname "incusbr1" oifname "incusbr2" ct state new,established accept
# allow vm to vm communication
iifname "tap*" oifname "tap*" accept
# allow natted replies
iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 1883 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 8883 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 9001 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 20 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 21 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50000 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50001 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50002 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50003 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50004 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 50005 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 22 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 2223 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 990 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 989 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 445 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 111 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" udp dport 111 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 2049 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" udp dport 2049 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 32765 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" udp dport 32765 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 32768 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" udp dport 32768 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 20048 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" udp dport 20048 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 443 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 1883 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 8883 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 9001 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 20 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 21 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50000 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50001 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50002 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50003 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50004 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50005 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 22 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 2223 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 990 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 989 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 445 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 111 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 111 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 2049 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 2049 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 32765 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 32765 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 32768 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 32768 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 20048 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 20048 ct state new,established accept
}
}
'';
@@ -68,6 +69,9 @@
incusbr1 = {
interfaces = [];
};
incusbr2 = {
interfaces = [ "enp4s0" ];
};
};
interfaces = {
@@ -81,12 +85,24 @@
{ address = "10.46.33.1"; prefixLength = 24; }
];
};
incusbr2 = {
ipv4.addresses = [
{ address = "192.168.0.19"; prefixLength = 24; }
];
macAddress = "2c:fd:a1:c1:13:b0";
mtu = 1280;
};
};
defaultGateway = {
address = "192.168.0.1";
interface = "incusbr2";
};
nat = {
enable = true;
internalInterfaces = [ "incusbr0" "incusbr1" ];
externalInterface = "enp4s0";
externalInterface = "incusbr2";
forwardPorts = [
# Web-UI for home-assistant
{