diff options
author | lassulus <lassulus@lassul.us> | 2023-01-18 20:07:18 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2023-01-18 20:07:18 +0100 |
commit | d9d0fbd0406873648c985d2b96d2a52c91f9fc9e (patch) | |
tree | d814df30dadfca8367b07504466f999abe34532c | |
parent | 4d64e1755794cd8364afce6dbcbea72c04466dfa (diff) |
l sync-containers3: configure NAT more directly
-rw-r--r-- | lass/3modules/sync-containers3.nix | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix index 7966f4097..8f6f74a3c 100644 --- a/lass/3modules/sync-containers3.nix +++ b/lass/3modules/sync-containers3.nix @@ -282,14 +282,19 @@ in { }) (lib.mkIf (cfg.containers != {}) { # networking + + # needed because otherwise we lose local dns + environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; + + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; systemd.network.networks.ctr0 = { name = "ctr0"; address = [ "10.233.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; }; @@ -306,6 +311,9 @@ in { { predicate = "-i ctr0"; target = "ACCEPT"; } { predicate = "-o ctr0"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; |