| 16 Aug 2021 |
 matthewcroughan - nix.zone | what about .enable .internalIPs and externalInterface? | 23:25:38 |
 CRTified | You'll probably need to enable nat, too | 23:25:38 |
| CRTified | Oh yes, at least ne internal and 3xternql interfaces should be set | 23:25:59 |
| CRTified | * Oh yes, at least the internal and external interfaces should be set | 23:26:12 |
| matthewcroughan - nix.zone | Is it possible for me to lock myself out of the machine? | 23:26:28 |
| CRTified | (Sorry, on mobile/in bed already) | 23:26:33 |
| CRTified | In reply to @matthewcroughan:defenestrate.it
Is it possible for me to lock myself out of the machine? Yes, definitely | 23:26:41 |
| matthewcroughan - nix.zone | I wish nixos-rebuild test had a --rollback-timer option :D | 23:26:53 |
| CRTified | In reply to @matthewcroughan:defenestrate.it
I wish nixos-rebuild test had a --rollback-timer option :D Shouldn't that be doable? One-shot systemd timer in a different root config? 🤔 | 23:28:05 |
| matthewcroughan - nix.zone | deploy-rs does it, somehow | 23:28:18 |
 eyJhb | Nixus ;) | 23:35:37 |
| 17 Aug 2021 |
|  putchar joined the room. | 09:51:02 |
 nixinator | In reply to @matthewcroughan:defenestrate.it
I wish nixos-rebuild test had a --rollback-timer option :D `nixos-rebuild switch; sleep 60; nixos-rebuild switch --rollback" :-) | 11:25:02 |
| nixinator | In reply to @matthewcroughan:defenestrate.it
I wish nixos-rebuild test had a --rollback-timer option :D * nixos-rebuild switch; sleep 60; nixos-rebuild switch --rollback :-) | 11:25:15 |
| nixinator | you may have to nohup that if you loose your shell connection. | 11:25:48 |
| nixinator | if you don't want the complexities of nat translation you can socat, ncat,goproxy and all sorts of other tcp forwarding goodies, some also have cool features :-) | 11:35:45 |
| nixinator | you'll probably loose a slight bit of performance as it's not in kernel, but depends what your loads are. | 11:42:11 |
| CRTified | In reply to @matthewcroughan:defenestrate.it
Is it possible for me to lock myself out of the machine? Didn't properly think about this. It depends on how you access the machine. Messing with networking can easily lock you out of SSH or other network-based administration options, but if you're at the machine (i.e. keyboard/mouse/screen or UART or something similar), it's hard to not be able to fix it | 11:45:48 |
| nixinator | networking, there a lot to think about, more developers than you care to think about don't understand it, especially the lower layers... but thats the beauty of abstractions, you don't have to understand what they are doing :-) | 13:03:45 |
| eyJhb | Also recommend looking at nftables instead of iptables. I still do suck at it, but there are some experts in here, as well as some people in #netfilter on Libera that are very nice! | 15:28:26 |
 hexa | I do love ferm, but it's "stuck" with iptables | 15:52:22 |
| hexa | It has the most convenient syntactic sugar | 15:52:45 |
| hexa | I am using plain nft these days and it has lots of rough edges | 15:53:29 |
| hexa | Not really sure if my only benefit is learning nft 😅 | 15:54:25 |
 andi- | Testing nft is a pain. The whole story around verifying your file is syntactically correct already sucks. | 15:55:36 |
| CRTified | Just for clarification: it looks like nftables is intended to replace iptables/arptables and more in the long run, correct? If that's the case, it's probably a good idea to start using it and to get used to it | 15:56:30 |
| hexa | Composing it in nixos is also not straight-forward, the module is lacking | 15:56:49 |
| andi- | In reply to @schnecfk:ruhr-uni-bochum.de
Just for clarification: it looks like nftables is intended to replace iptables/arptables and more in the long run, correct? If that's the case, it's probably a good idea to start using it and to get used to it iptables is already using it under the hood. | 15:56:50 |
| hexa | There is the iptables-nft wrapper ^ | 15:57:19 |
| CRTified | In reply to @andi:kack.it
iptables is already using it under the hood. THen the question is whether that compatibility layer is intended to stay, or whether it'll be deprecated some day | 16:05:53 |
