37 lines
828 B
Nix
37 lines
828 B
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
virtualisation.incus.enable = true;
|
|
networking = {
|
|
nftables.enable = true;
|
|
firewall = {
|
|
enable = true;
|
|
trustedInterfaces = [ "incusbr1" ];
|
|
filterForward = true;
|
|
|
|
extraForwardRules = ''
|
|
# if crusader tries to go to varian or truenas, BLOCK
|
|
iifname "incusbr1" oifname "incusbr0" drop
|
|
iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop
|
|
'';
|
|
|
|
interfaces = {
|
|
incusbr0 = {
|
|
allowedTCPPorts = [ 53 67 ];
|
|
allowedUDPPorts = [ 53 67 ];
|
|
};
|
|
incusbr1 = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 67 68 ];
|
|
};
|
|
};
|
|
|
|
|
|
};
|
|
};
|
|
|
|
# Load the kernel volume for lvm thin provisioning
|
|
boot.kernelModules = [ "dm_thin_pool" "dm_snapshot" ];
|
|
}
|
|
|