| 27 Jul 2025 |
|  sodiboo joined the room. | 13:17:46 |
| 28 Jul 2025 |
 emily | https://github.com/systemd/systemd/commit/5c68c51045c27d77b7afc211df7304a958d8cf24 | 13:32:24 |
| emily | 🪦 | 13:32:33 |
| emily | we should probably kill off some of our iptables detritus | 13:34:21 |
| emily | though probably much of it will die with scripted networking already | 13:34:50 |
| emily | wow apparently Docker still does not support nftables | 13:35:10 |
| emily |
Our initial plan was to include nftables support in v29, but it's not going to make it as the first RC is scheduled for July 10 (although this date might slip). The implementation itself is in good shape, but it needs thorough review before it can be merged and released. We've an Epic open here to track the work left: moby/moby#49634.
| 13:35:22 |
| emily | thankfully they have an Epic | 13:35:26 |
 magic_rb | No it doesnt, along with "youd be surprised how many things" | 13:35:35 |
| emily | hopefully it will achieve For the Win status in a timely manner | 13:35:37 |
| magic_rb | In reply to @emilazy:matrix.org
we should probably kill off some of our iptables detritus Yes please, lets kill it with fire, its 2025 | 13:36:01 |
| emily | frankly the NixOS firewall probably just does not work well with half of them anyway | 13:36:04 |
| emily | but I expect we can kill any remaining iptables nonsense at the same time as scripted networking | 13:36:21 |
| emily | also it would be real nice to use firewalld or something instead of homegrown stuff for that | 13:36:35 |
| emily | but that's another whole project | 13:36:37 |
| magic_rb | Id say no firewall works well with them because interoperability at the iptables/nftables level is grossly at the wrong level, but thats another separate rant | 13:37:02 |
 Molly Miller | getting docker to work with scripted networking and iptables is a bit painful but doable | 13:38:20 |
| Molly Miller | (ask me how i know, etc etc) | 13:38:30 |
| magic_rb | I personally gave up, i put k3s (containerd) into a separate network namespace and do the firewalling on the outside | 13:39:17 |
 Marcel | Ifstate is not in the release phase for V2 so I am preparing to upstream the nix module to nixpkgs. The question is if the options should be under networking.ifstate or services.ifstate or somewhere different? That's hot it's currently done in my flake: https://search.nüschtos.de/?scope=IfState.nix | 16:01:33 |
| Marcel | * | 16:01:58 |
| Marcel | * | 16:02:08 |
| Marcel | * | 16:02:33 |
| Marcel | * Ifstate is now in the release candidate phase for V2 so I am preparing to upstream the nix module to nixpkgs. The question is if the options should be under networking.ifstate or services.ifstate or somewhere different? That's how it's currently done in my flake: https://search.nüschtos.de/?scope=IfState.nix
Services.ifstate might not be optimal because it's not a daemon and only runs on boot or rebuild
| 16:03:46 |
 adamcstephens | networking.ifstate seems reasonable to me | 16:06:06 |
 Zhaofeng Li | interesting, what's your setup like? I might do something similar, but for the wrong reasons :p | 16:13:06 |
| Zhaofeng Li | (launch k3s from k8s) | 16:13:19 |
| magic_rb | In reply to @zhaofeng:zhaofeng.li
interesting, what's your setup like? I might do something similar, but for the wrong reasons :p uh, i use systemd-nspawn with some convincing and i wrote a simple k3s module for NixNG | 16:17:21 |
| magic_rb | https://git.sr.ht/~magic_rb/uk3s.nix/tree/master/item/nixos/modules these modules | 16:17:52 |
| magic_rb | https://git.sr.ht/~magic_rb/uk3s.nix/tree/master/item/nixos/modules/uk3s.nix#L341 this specifically is what you need to run k3s in a nspawn container | 16:18:40 |
