From e7e9b34464c8384f0f486ea8af6172bf39222487 Mon Sep 17 00:00:00 2001 From: RootHost-Stormwind Date: Tue, 22 Jul 2025 10:25:34 +0200 Subject: [PATCH] create special network for crusader which cannot ping lan --- hardware-configuration.nix | 34 +++++++++++-- incus.nix | 26 ++++++++-- networking.nix | 102 ++++++++++++++++++++++--------------- 3 files changed, 114 insertions(+), 48 deletions(-) diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 22af24c..2e85aa0 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -8,11 +8,26 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; + # 1) Make sure vfio and vfio_pci are in the initrd + boot.initrd.kernelModules = [ "vfio" "vfio_pci" ]; + + # 2) Also load them again in the running system + boot.kernelModules = [ "vfio" "vfio_pci" ]; + + # 3) Kernel params to turn on IOMMU and bind your card to vfio-pci + boot.kernelParams = lib.mkForce [ + # for AMD hosts (use the intel line if you’re on Intel) + "amd_iommu=on" + "iommu=pt" + + # helps isolate PCIe ports if your card shares groups + "pci_acs_override=downstream,multifunction" + + # <<< the important bit: early vfio binding for 1b4b:9215 >>> + "vfio-pci.ids=1b4b:9215" + ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" "vfio_pci" ]; - boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "pci_acs_override=downstream,multifunction" ]; - boot.extraModulePackages = [ ]; swapDevices = [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; } @@ -27,4 +42,15 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.legacy_470; + modesetting.enable = true; + powerManagement.enable = true; + open = false; # <--- this must be false for proprietary + nvidiaSettings = true; + }; + nixpkgs.config.allowUnfree = true; + nixpkgs.config.nvidia.acceptLicense = true; } diff --git a/incus.nix b/incus.nix index 3a0957d..9198144 100644 --- a/incus.nix +++ b/incus.nix @@ -4,11 +4,29 @@ virtualisation.incus.enable = true; networking = { nftables.enable = true; - firewall.interfaces = { - incusbr0 = { - allowedTCPPorts = [ 53 67 ]; - allowedUDPPorts = [ 53 67 ]; + firewall = { + enable = true; + trustedInterfaces = [ "incusbr1" ]; + filterForward = true; + + extraForwardRules = '' + # if crusader tries to go to varian or truenas, BLOCK + iifname "incusbr1" oifname "incusbr0" drop + iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop + ''; + + interfaces = { + incusbr0 = { + allowedTCPPorts = [ 53 67 ]; + allowedUDPPorts = [ 53 67 ]; + }; + incusbr1 = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 67 68 ]; + }; }; + + }; }; diff --git a/networking.nix b/networking.nix index cc2fc33..9c37a90 100644 --- a/networking.nix +++ b/networking.nix @@ -11,25 +11,25 @@ table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; - iifname "enp4s0" tcp dport 80 dnat to 10.94.157.2:80 - iifname "enp4s0" tcp dport 443 dnat to 10.94.157.2:443 - iifname "enp4s0" tcp dport 20 dnat to 10.94.157.2:20 - iifname "enp4s0" tcp dport 21 dnat to 10.94.157.2:21 - iifname "enp4s0" tcp dport 22 dnat to 10.94.157.2:22 - iifname "enp4s0" tcp dport 2223 dnat to 10.94.157.2:2223 - iifname "enp4s0" tcp dport 990 dnat to 10.94.157.2:990 - iifname "enp4s0" tcp dport 989 dnat to 10.94.157.2:989 - iifname "enp4s0" tcp dport 445 dnat to 10.94.157.2:445 - iifname "enp4s0" tcp dport 111 dnat to 10.94.157.2:111 - iifname "enp4s0" udp dport 111 dnat to 10.94.157.2:111 - iifname "enp4s0" tcp dport 2049 dnat to 10.94.157.2:2049 - iifname "enp4s0" udp dport 2049 dnat to 10.94.157.2:2049 - iifname "enp4s0" tcp dport 32765 dnat to 10.94.157.2:32765 - iifname "enp4s0" udp dport 32765 dnat to 10.94.157.2:32765 - iifname "enp4s0" tcp dport 32768 dnat to 10.94.157.2:32768 - iifname "enp4s0" udp dport 32768 dnat to 10.94.157.2:32768 - iifname "enp4s0" tcp dport 20048 dnat to 10.94.157.2:20048 - iifname "enp4s0" udp dport 20048 dnat to 10.94.157.2:20048 + iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80 + iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443 + iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20 + iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21 + iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22 + iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223 + iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990 + iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989 + iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445 + iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111 + iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111 + iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049 + iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049 + iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765 + iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765 + iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768 + iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768 + iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048 + iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048 } } ''; @@ -40,113 +40,135 @@ allowedUDPPorts = [ 111 2049 20048 32765 32768 ]; }; + bridges = { + incusbr0 = { + interfaces = []; + }; + incusbr1 = { + interfaces = []; + }; + }; + + interfaces = { + incusbr0 = { + ipv4.addresses = [ + { address = "10.46.32.1"; prefixLength = 24; } + ]; + }; + incusbr1 = { + ipv4.addresses = [ + { address = "10.46.32.1"; prefixLength = 24; } + ]; + }; + }; + nat = { enable = true; - internalInterfaces = [ "incusbr0" ]; + internalInterfaces = [ "incusbr0" "incusbr1" ]; externalInterface = "enp4s0"; forwardPorts = [ { sourcePort = 80; proto = "tcp"; - destination = "10.94.157.2:80"; + destination = "10.46.32.2:80"; } { sourcePort = 443; proto = "tcp"; - destination = "10.94.157.2:443"; + destination = "10.46.32.2:443"; } # FTP { sourcePort = 20; proto = "tcp"; - destination = "10.94.157.2:20"; + destination = "10.46.32.2:20"; } { sourcePort = 21; proto = "tcp"; - destination = "10.94.157.2:21"; + destination = "10.46.32.2:21"; } { sourcePort = 22; proto = "tcp"; - destination = "10.94.157.2:22"; + destination = "10.46.32.2:22"; } { sourcePort = 2223; proto = "tcp"; - destination = "10.94.157.2:2223"; + destination = "10.46.32.2:2223"; } { sourcePort = 990; proto = "tcp"; - destination = "10.94.157.2:990"; + destination = "10.46.32.2:990"; } { sourcePort = 989; proto = "tcp"; - destination = "10.94.157.2:989"; + destination = "10.46.32.2:989"; } { sourcePort = 21; proto = "tcp"; - destination = "10.94.157.2:21"; + destination = "10.46.32.2:21"; } # SMB { sourcePort = 445; proto = "tcp"; - destination = "10.94.157.2:445"; + destination = "10.46.32.2:445"; } # NFS { sourcePort = 111; proto = "tcp"; - destination = "10.94.157.2:111"; + destination = "10.46.32.2:111"; } { sourcePort = 111; proto = "udp"; - destination = "10.94.157.2:111"; + destination = "10.46.32.2:111"; } { sourcePort = 2049; proto = "tcp"; - destination = "10.94.157.2:2049"; + destination = "10.46.32.2:2049"; } { sourcePort = 2049; proto = "udp"; - destination = "10.94.157.2:2049"; + destination = "10.46.32.2:2049"; } { sourcePort = 32765; proto = "tcp"; - destination = "10.94.157.2:32765"; + destination = "10.46.32.2:32765"; } { sourcePort = 32765; proto = "udp"; - destination = "10.94.157.2:32765"; + destination = "10.46.32.2:32765"; } { sourcePort = 32768; proto = "tcp"; - destination = "10.94.157.2:32768"; + destination = "10.46.32.2:32768"; } { sourcePort = 32768; proto = "udp"; - destination = "10.94.157.2:32768"; + destination = "10.46.32.2:32768"; } { sourcePort = 20048; proto = "tcp"; - destination = "10.94.157.2:20048"; + destination = "10.46.32.2:20048"; } { sourcePort = 20048; proto = "udp"; - destination = "10.94.157.2:20048"; + destination = "10.46.32.2:20048"; } ]; };