summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2023-01-18 20:07:18 +0100
committerlassulus <lassulus@lassul.us>2023-01-18 20:07:18 +0100
commitd9d0fbd0406873648c985d2b96d2a52c91f9fc9e (patch)
treed814df30dadfca8367b07504466f999abe34532c
parent4d64e1755794cd8364afce6dbcbea72c04466dfa (diff)
l sync-containers3: configure NAT more directly
-rw-r--r--lass/3modules/sync-containers3.nix12
1 files changed, 10 insertions, 2 deletions
diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix
index 7966f4097..8f6f74a3c 100644
--- a/lass/3modules/sync-containers3.nix
+++ b/lass/3modules/sync-containers3.nix
@@ -282,14 +282,19 @@ in {
})
(lib.mkIf (cfg.containers != {}) {
# networking
+
+ # needed because otherwise we lose local dns
+ environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
systemd.network.networks.ctr0 = {
name = "ctr0";
address = [
"10.233.0.1/24"
];
networkConfig = {
- IPForward = "yes";
- IPMasquerade = "both";
+ # IPForward = "yes";
+ # IPMasquerade = "both";
ConfigureWithoutCarrier = true;
DHCPServer = "yes";
};
@@ -306,6 +311,9 @@ in {
{ predicate = "-i ctr0"; target = "ACCEPT"; }
{ predicate = "-o ctr0"; target = "ACCEPT"; }
];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; }
+ ];
})
(lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {};