machine_setup/nix/kubernetes/roles/firewall/default.nix

{
  config,
  lib,
  ...
}:

{
  imports = [ ];

  options.me = {
    firewall.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firewall.";
    };
  };

  config = lib.mkIf config.me.firewall.enable {
    # kernel modules and settings required by Kubernetes
    boot.kernelModules = [
      "overlay"
      "br_netfilter"
    ];
    boot.kernel.sysctl = {
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;

      # Enable forwarding on all interfaces.
      # "net.ipv4.conf.all.forwarding" = 1;
      # "net.ipv6.conf.all.forwarding" = 1;
    };

    networking.firewall.enable = true;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

    # Allow traffic from the pods on the lxc interfaces even though the interfaces do not have the correct ip addressses set for the return path.
    networking.firewall.extraReversePathFilterRules = ''
      iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
      iifname "lxc*" ip saddr 10.200.0.0/16 accept
    '';

    networking.firewall.extraInputRules = builtins.concatStringsSep "\n" [
      # Allow pod-to-node communication
      ''
        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ''
    ];

    # networking.firewall.extraInputRules = ''
    #   ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
    #   ip6 saddr fd00:3e42:e349::/112 accept
    #   ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    # '';

    networking.firewall.extraForwardRules = builtins.concatStringsSep "\n" [
      # Allow pod to external communication
      ''
        iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
        iifname "lxc*" ip saddr 10.200.0.0/16 accept
      ''
      # Allow pod-to-pod communication
      ''
        ip saddr 10.200.0.0/16 ip daddr 10.200.0.0/16 accept
        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ''
      # Allow external-to-pod communication
      ''
        ip daddr 10.200.0.0/16 accept
        ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
      ''
    ];

    # networking.firewall.extraForwardRules = ''
    #   ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
    #   ip6 daddr fd00:3e42:e349::/112 accept
    #   ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
    # '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg

    # networking.nftables.tables."my-fw" = {
    #   family = "inet";
    #   content = (builtins.readFile ./files/my-fw.nft);
    # };
  };
}