| 10 Mar 2024 |
 adamcstephens | In reply to @cmspam:matrix.org
adamcstephens 🐝: Yes, it would have made much more sense to put it there :D
The code review you put requesting changes to requires, the changes have been fulfilled. Have I submitted that correctly and it's back to you, or I need to do something further to indicate it's implemented in github? Yeah it’s back to me. I’ll take a look, probably this evening, and get back to you | 22:44:39 |
| 14 Mar 2024 |
|  NixOS Moderation Botchanged room power levels. | 18:44:26 |
| 18 Mar 2024 |
 mkg20001 | Should we add networking.firewall.trustedInterfaces = [ "incusbr*" ]; as part of the default incus configuration? Or is there a better solution? | 13:45:05 |
| mkg20001 | people are running into this quite often: https://discuss.linuxcontainers.org/t/incus-on-nixos-with-tailscale-on-the-side-no-internet-access-for-the-containers/19385/2 | 13:45:43 |
| adamcstephens | unfortunately they could name the bridge whatever they want | 13:48:08 |
| adamcstephens | incusbr0 is a convention (following on lxdbr0) but you could just as easily name the network/bridge myfavbr0 | 13:48:49 |
| adamcstephens | i'm hoping to start building out a wiki page once Wiki 2 is official | 13:50:47 |
| adamcstephens | maybe this advice could live there? | 13:50:55 |
| adamcstephens | * i'm hoping to start building out a wiki page once Wiki 2 is live | 13:51:08 |
| mkg20001 | wiki 2? | 13:51:38 |
| adamcstephens | https://discourse.nixos.org/t/official-nixos-wiki/38715 | 13:52:00 |
| adamcstephens | or whatever we want to call it :) | 13:52:15 |
| mkg20001 | i'm thinking if there is a good way to make incus work by default | 13:53:23 |
| mkg20001 | I've seen your paste aswell with the nftables rules, but I feel like the real fix is just adding a hook to lxd that it adds the trusted interface dynamically, as otherwise we end up trying to allow everything lxd wants, while lxd may or may not require something extra depending on it's settings... we could use named sets to achive the trusted interface change dynamically and temporarly | 13:53:50 |
| mkg20001 | https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets_specifications | 13:54:28 |
| mkg20001 | This. Also tables can be flushed in such a way that all sets remain with their values. | 13:54:53 |
| mkg20001 | this would not only be useful for incus, but also for virsh, etc. | 13:55:43 |
| mkg20001 | s/lxd/incus/ | 13:56:14 |
| adamcstephens | since we're enforcing nftables now, we could also do something like
networking.nftables = {
enable = true;
tables.allow-forward = {
family = "inet";
content = ''
chain forward {
type filter hook forward priority 0;
accept
}
'';
};
};
| 13:56:27 |
| adamcstephens | though i guess that doesn't help for dnsmasq | 13:57:16 |
| mkg20001 | that allows all forward traffic. for all interfaces. now i need to go and deny by default any forwards from interfaces that aren't part of incus. | 13:57:58 |
| mkg20001 | * that allows all forward traffic. for all interfaces. now i need to go and deny by default any forward traffic from interfaces that aren't part of incus. | 13:58:04 |
| mkg20001 | if i have, say, a vpn or something else on that server | 13:58:21 |
| adamcstephens | yeah | 13:58:36 |
| adamcstephens | this is the problem with defaulting firewall rules :) | 13:58:44 |
| mkg20001 | what do you think of the named set? should i go implement that? | 13:59:08 |
| adamcstephens | so what does that look like? a table that allows a named set of interfaces for trusting, and what updates that set/ | 13:59:47 |
| adamcstephens | * so what does that look like? a table that allows a named set of interfaces for trusting, and what updates that set? | 13:59:49 |
| adamcstephens | how would you hook into incus/lxd? | 14:01:06 |
| mkg20001 | nft add element inet nixos-fw trustedintfs { incusbr0 } is the command to add to the set | 14:02:23 |
