sarcasticadmin has quit [Ping timeout: 258 seconds]
sarcasticadmin has joined #nixos-on-your-router
sarcasticadmin has quit [Client Quit]
nullheroes has joined #nixos-on-your-router
night has quit [Ping timeout: 240 seconds]
NightA has joined #nixos-on-your-router
NightA is now known as night
lopsided98 has quit [Quit: No Ping reply in 180 seconds.]
lopsided98 has joined #nixos-on-your-router
teto has joined #nixos-on-your-router
superherointj has joined #nixos-on-your-router
superherointj has quit [Quit: Leaving]
superherointj has joined #nixos-on-your-router
RN1986239 has joined #nixos-on-your-router
superherointj has quit [Quit: Leaving]
ottidmes has quit [Ping timeout: 256 seconds]
ottidmes has joined #nixos-on-your-router
<mdlayher>
i recommend nftables if you're willing to make the switch. it's very expressive.
RN1986239_ has joined #nixos-on-your-router
RN1986239 has quit [Quit: bye]
teto has quit [Quit: WeeChat 2.9]
<hexa->
again: the nixos module isn't really composable yet
<hexa->
and I feel too dumb to change that.
<hexa->
firewall rules need to be kept alongside their service, i.e. i include service X … bam … firewall changes
<hexa->
and that must not introduce arbitrary ordering
<gchristensen>
it is a bit tricky to do that, since the firewall rules shouldn't be very opinionated
<NinjaTrappeur>
I'm not sure firewall rules are that composable.
<NinjaTrappeur>
Especially nftables
<gchristensen>
maybe we could run all the systemd services in their own namespace and use that as a building block for composable firewall rules
<hexa->
i'm currently including /etc/nftables.d/*.nft and that has <prio>-<service>.nft file names
<hexa->
i'm one reload mechanism short, will probably go for .path unit
<hexa->
also nft isn't really checkable
<hexa->
needs root permissions to do just about anything
<hexa->
(re again: sorry, didn't mean for that to come across as snappy, wasn't meant that way)
<hexa->
individual namespaces will primarily block crosstalk, you'd need to loosen that up again for $service to talk to $database again
<gchristensen>
yeah
<hexa->
and netns specifically will break the localhost assumptions of many users
<NinjaTrappeur>
Maybe all we need is nix-compose? :P
<hexa->
hehe
<NinjaTrappeur>
I'm not a fan of trying to abstract over nftables, nor splitting up the firewall definition at several places, especially between the nixos config and the nixpkgs modules definitions.
<cransom>
imo, once you get into a spot where there's automatic firewall rules, that level of magic so super hard to maintain or operate once you are off the path. especially when you have things like docker that start up and start doing it's own thing
superherointj has joined #nixos-on-your-router
clever has quit [*.net *.split]
clever has joined #nixos-on-your-router
<Church->
Okay, serial console emulators are awful.
* Church-
goes back to trying to get nixOS installed on this thing.
<Church->
Oh well that's fun, 20.03 minial image can't boot on my apu2... hmm.
superherointj has quit [Quit: Leaving]
RN1986239_ has quit [Quit: bye]
RN1986239 has joined #nixos-on-your-router
<hpfr>
Is systemd networkd in a good enough state on NixOS yet to base a router on it? I’ve been on opnsense for a while and I’ve been waiting to switch to avoid reinventing it twice