23 Feb 2024 |
hexa | everyone can lib.mkForce whatever they want | 19:19:43 |
adamcstephens | (networking.firewall.enable && !networking.nftables.enable) && virtualisation.incus.enable | 19:25:38 |
adamcstephens | throw an error if that evaluates to true | 19:25:52 |
adamcstephens | * networking.firewall.enable && !networking.nftables.enable && virtualisation.incus.enable | 19:25:58 |
adamcstephens | is that too aggressive of a change? :) | 19:28:49 |
hexa | what would be the motivation? | 19:30:39 |
adamcstephens | incus manages its own firewall rules, and it's easier to support a single integration | 19:39:05 |
adamcstephens | the motivation comes from at least one user who switching to nftables just fixed the issue https://github.com/lxc/incus/issues/525 | 19:39:38 |
adamcstephens | specifically this comment: https://github.com/lxc/incus/issues/525#issuecomment-1961862060 | 19:40:22 |
adamcstephens | (there are two users for some reason in this issue) | 19:40:30 |
hexa | yeah, then just assert with a link to documentation, why this has become necessary maybe | 19:40:35 |
adamcstephens | if you're curious, here's an nftable dump from my test machine https://paste.sr.ht/~adamcstephens/28d559730979803b0b1372e200d1013c1a783a4f | 19:42:19 |
24 Feb 2024 |
mkg20001 | myself i just add all the interfaces to trustedInterfaces and that fixes that | 03:52:51 |
mkg20001 | we could have a named set in nftables and patch incus to append its own interfaces to that | 03:53:24 |
mkg20001 | basically adding trusted interfaces at runtime | 03:53:39 |
adamcstephens | the incus table you can see in my paste should cover what using trustedInterfaces does. namely allow dnsmasq requests from incus networks. | 04:29:42 |
adamcstephens | the multiple table model of nftables makes the firewall rules much cleaner, and allows for better integration with other components that modify firewalls. e.g. docker. | 04:32:11 |
adamcstephens | https://github.com/NixOS/nixpkgs/pull/290959 | 13:09:05 |
adamcstephens | I went ahead and added stgrabers video release notes 😁 | 13:09:29 |
mkg20001 | ah i missed the ! in the assertion | 14:36:00 |
25 Feb 2024 |
steveej | has anyone here tried integration with nomad and the lxc driver? i'm also interested in any other attempt to reuse the nixos modules to define services on nomad | 17:09:52 |
26 Feb 2024 |
adamcstephens | i've not seen anything like that | 00:43:22 |
hexa | what would nomad integration do? | 00:43:43 |
hexa | replace lxc? | 00:43:45 |
adamcstephens | i haven't looked but i assume it's a different exec backend, e.g. docker alternative | 00:49:20 |
adamcstephens | so nomad would start lxc containers | 00:53:40 |
adamcstephens | they apparently call them "task drivers" and the lxc one doesn't seem to get much love. https://github.com/hashicorp/nomad-driver-lxc | 00:54:16 |
adamcstephens | it would need to support lxc 5, which is questionable given the issues about supporting 4 | 01:06:37 |
steveej | In reply to @hexa:lossy.network replace lxc? replace incus, especially if used as a cluster manager | 14:53:02 |
hexa | huh ok. | 14:53:18 |