create special network for crusader which cannot ping lan

hardware-configuration.nix

@@ -8,11 +8,26 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
+  # 1) Make sure vfio and vfio_pci are in the initrd
+  boot.initrd.kernelModules = [ "vfio" "vfio_pci" ];
+
+  # 2) Also load them again in the running system
+  boot.kernelModules = [ "vfio" "vfio_pci" ];
+
+  # 3) Kernel params to turn on IOMMU and bind your card to vfio-pci
+  boot.kernelParams = lib.mkForce [
+    # for AMD hosts (use the intel line if you’re on Intel)
+    "amd_iommu=on"
+    "iommu=pt"
+
+    # helps isolate PCIe ports if your card shares groups
+    "pci_acs_override=downstream,multifunction"
+
+    # <<< the important bit: early vfio binding for 1b4b:9215 >>>
+    "vfio-pci.ids=1b4b:9215"
+  ];
+
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" "vfio_pci" ];
-  boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "pci_acs_override=downstream,multifunction" ];
-  boot.extraModulePackages = [ ];
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
@@ -27,4 +42,15 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia = {
+    package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+    modesetting.enable = true;
+    powerManagement.enable = true;
+    open = false; # <--- this must be false for proprietary
+    nvidiaSettings = true;
+  };
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.nvidia.acceptLicense = true;
 }

incus.nix

@@ -4,11 +4,29 @@
   virtualisation.incus.enable = true;
   networking = {
     nftables.enable = true;
-    firewall.interfaces = {
+    firewall = {
-      incusbr0 = {
+      enable = true;
-        allowedTCPPorts = [ 53 67 ];
+      trustedInterfaces = [ "incusbr1" ];
-        allowedUDPPorts = [ 53 67 ];
+      filterForward = true;
+
+      extraForwardRules = ''
+        # if crusader tries to go to varian or truenas, BLOCK
+        iifname "incusbr1" oifname "incusbr0" drop
+        iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop
+      '';
+
+      interfaces = {
+        incusbr0 = {
+          allowedTCPPorts = [ 53 67 ];
+          allowedUDPPorts = [ 53 67 ];
+        };
+        incusbr1 = {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 67 68 ];
+        };
       };
+
+      
     };
   };
 

networking.nix

@@ -11,25 +11,25 @@
           table ip nat {
             chain PREROUTING {
               type nat hook prerouting priority dstnat; policy accept;
-              iifname "enp4s0" tcp dport 80 dnat to 10.94.157.2:80
+              iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80
-              iifname "enp4s0" tcp dport 443 dnat to 10.94.157.2:443
+              iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443
-              iifname "enp4s0" tcp dport 20 dnat to 10.94.157.2:20
+              iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20
-              iifname "enp4s0" tcp dport 21 dnat to 10.94.157.2:21
+              iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21
-              iifname "enp4s0" tcp dport 22 dnat to 10.94.157.2:22
+              iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22
-              iifname "enp4s0" tcp dport 2223 dnat to 10.94.157.2:2223
+              iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223
-              iifname "enp4s0" tcp dport 990 dnat to 10.94.157.2:990
+              iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990
-              iifname "enp4s0" tcp dport 989 dnat to 10.94.157.2:989
+              iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989
-              iifname "enp4s0" tcp dport 445 dnat to 10.94.157.2:445
+              iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445
-              iifname "enp4s0" tcp dport 111 dnat to 10.94.157.2:111
+              iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" udp dport 111 dnat to 10.94.157.2:111
+              iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" tcp dport 2049 dnat to 10.94.157.2:2049
+              iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" udp dport 2049 dnat to 10.94.157.2:2049
+              iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" tcp dport 32765 dnat to 10.94.157.2:32765
+              iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" udp dport 32765 dnat to 10.94.157.2:32765
+              iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" tcp dport 32768 dnat to 10.94.157.2:32768
+              iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" udp dport 32768 dnat to 10.94.157.2:32768
+              iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" tcp dport 20048 dnat to 10.94.157.2:20048
+              iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048
-              iifname "enp4s0" udp dport 20048 dnat to 10.94.157.2:20048
+              iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048
             }
           }
       '';
@@ -40,113 +40,135 @@
       allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
     };
 
+    bridges = {
+      incusbr0 = {
+        interfaces = [];
+      };
+      incusbr1 = {
+        interfaces = [];
+      };
+    };
+
+    interfaces = {
+      incusbr0 = {
+        ipv4.addresses = [
+          { address = "10.46.32.1"; prefixLength = 24; }
+        ];
+      };
+      incusbr1 = {
+        ipv4.addresses = [
+          { address = "10.46.32.1"; prefixLength = 24; }
+        ];
+      };
+    };
+
     nat = {
       enable = true;
-      internalInterfaces = [ "incusbr0" ];
+      internalInterfaces = [ "incusbr0" "incusbr1" ];
       externalInterface = "enp4s0";
       forwardPorts = [
         {
           sourcePort = 80;
           proto = "tcp";
-          destination = "10.94.157.2:80";
+          destination = "10.46.32.2:80";
         }
         {
           sourcePort = 443;
           proto = "tcp";
-          destination = "10.94.157.2:443";
+          destination = "10.46.32.2:443";
         }
         # FTP
         {
           sourcePort = 20;
           proto = "tcp";
-          destination = "10.94.157.2:20";
+          destination = "10.46.32.2:20";
         }
         {
           sourcePort = 21;
           proto = "tcp";
-          destination = "10.94.157.2:21";
+          destination = "10.46.32.2:21";
         }
         {
           sourcePort = 22;
           proto = "tcp";
-          destination = "10.94.157.2:22";
+          destination = "10.46.32.2:22";
         }
         {
           sourcePort = 2223;
           proto = "tcp";
-          destination = "10.94.157.2:2223";
+          destination = "10.46.32.2:2223";
         }
         {
           sourcePort = 990;
           proto = "tcp";
-          destination = "10.94.157.2:990";
+          destination = "10.46.32.2:990";
         }
         {
           sourcePort = 989;
           proto = "tcp";
-          destination = "10.94.157.2:989";
+          destination = "10.46.32.2:989";
         }
         {
           sourcePort = 21;
           proto = "tcp";
-          destination = "10.94.157.2:21";
+          destination = "10.46.32.2:21";
         }
         # SMB
         {
           sourcePort = 445;
           proto = "tcp";
-          destination = "10.94.157.2:445";
+          destination = "10.46.32.2:445";
         }
         # NFS
         {
           sourcePort = 111;
           proto = "tcp";
-          destination = "10.94.157.2:111";
+          destination = "10.46.32.2:111";
         }
         {
           sourcePort = 111;
           proto = "udp";
-          destination = "10.94.157.2:111";
+          destination = "10.46.32.2:111";
         }
         {
           sourcePort = 2049;
           proto = "tcp";
-          destination = "10.94.157.2:2049";
+          destination = "10.46.32.2:2049";
         }
         {
           sourcePort = 2049;
           proto = "udp";
-          destination = "10.94.157.2:2049";
+          destination = "10.46.32.2:2049";
         }
         {
           sourcePort = 32765;
           proto = "tcp";
-          destination = "10.94.157.2:32765";
+          destination = "10.46.32.2:32765";
         }
         {
           sourcePort = 32765;
           proto = "udp";
-          destination = "10.94.157.2:32765";
+          destination = "10.46.32.2:32765";
         }
         {
           sourcePort = 32768;
           proto = "tcp";
-          destination = "10.94.157.2:32768";
+          destination = "10.46.32.2:32768";
         }
         {
           sourcePort = 32768;
           proto = "udp";
-          destination = "10.94.157.2:32768";
+          destination = "10.46.32.2:32768";
         }
         {
           sourcePort = 20048;
           proto = "tcp";
-          destination = "10.94.157.2:20048";
+          destination = "10.46.32.2:20048";
         }
         {
           sourcePort = 20048;
           proto = "udp";
-          destination = "10.94.157.2:20048";
+          destination = "10.46.32.2:20048";
         }
       ];
     };