machine_setup/nix/kubernetes/roles/firewall/default.nix

{
  config,
  lib,
  ...
}:

{
  imports = [ ];

  options.me = {
    firewall.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firewall.";
    };
  };

  config = lib.mkIf config.me.firewall.enable {
    # kernel modules and settings required by Kubernetes
    boot.kernelModules = [
      "overlay"
      "br_netfilter"
    ];
    boot.kernel.sysctl = {
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;

      # Enable forwarding on all interfaces.
      # "net.ipv4.conf.all.forwarding" = 1;
      # "net.ipv6.conf.all.forwarding" = 1;
    };

    networking.firewall.enable = false;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

    networking.firewall.extraInputRules = ''
      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ip6 saddr fd00:3e42:e349::/112 accept
      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    '';

    networking.firewall.extraForwardRules = ''
      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ip6 daddr fd00:3e42:e349::/112 accept
      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg

    networking.nftables.tables."my-fw" = {
      family = "inet";
      content = (builtins.readFile ./files/my-fw.nft);
    };
  };
}
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`{`
			`config,`
			`lib,`
			`...`
			`}:`

			`{`
			`imports = [ ];`

			`options.me = {`
			`firewall.enable = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`example = true;`
			`description = "Whether we want to install firewall.";`
			`};`
			`};`

			`config = lib.mkIf config.me.firewall.enable {`
			`# kernel modules and settings required by Kubernetes`
			`boot.kernelModules = [`
			`"overlay"`
			`"br_netfilter"`
			`];`
			`boot.kernel.sysctl = {`
			`"net.bridge.bridge-nf-call-iptables" = 1;`
			`"net.bridge.bridge-nf-call-ip6tables" = 1;`
			`"net.ipv4.ip_forward" = 1;`
Enable the firewall. Now that we have networking working, I can enable the firewall and confirm nothing breaks. 2026-01-01 10:21:36 -05:00
			`# Enable forwarding on all interfaces.`
			`# "net.ipv4.conf.all.forwarding" = 1;`
			`# "net.ipv6.conf.all.forwarding" = 1;`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`};`

Enable the firewall. Now that we have networking working, I can enable the firewall and confirm nothing breaks. 2026-01-01 10:21:36 -05:00			`networking.firewall.enable = false;`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`networking.nftables.enable = true;`
			`# We want to filter forwarded traffic.`
			# Also needed for `networking.firewall.extraForwardRules` to do anything.
			`networking.firewall.filterForward = true;`
Some networking fixes. 2025-12-18 22:28:03 -05:00
Enable the firewall. Now that we have networking working, I can enable the firewall and confirm nothing breaks. 2026-01-01 10:21:36 -05:00			`networking.firewall.extraInputRules = ''`
			`ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept`
			`ip6 saddr fd00:3e42:e349::/112 accept`
			`ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept`
			`'';`

			`networking.firewall.extraForwardRules = ''`
			`ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept`
			`ip6 daddr fd00:3e42:e349::/112 accept`
			`ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept`
			`'';`
Some networking fixes. 2025-12-18 22:28:03 -05:00
			`# Check logs for blocked connections:`
			`# journalctl -k or dmesg`
Add a custom nftables firewall config. 2026-01-02 23:28:29 -05:00
			`networking.nftables.tables."my-fw" = {`
			`family = "inet";`
			`content = (builtins.readFile ./files/my-fw.nft);`
			`};`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`};`
			`}`