From 6a0ad369f2cc36c9229f0c260c23e36206a278b9 Mon Sep 17 00:00:00 2001
From: Adam Stephens <adam@valkor.net>
Date: Fri, 23 Feb 2024 15:39:53 -0500
Subject: nixos/incus: assert nftables is used when firewall is enabled

incus manages its own firewall rules and prefers nftables. The
advantages of nftables for segmenting multiple tools managing firewall
rules is sufficient to require nftables with incus.

https://linuxcontainers.org/incus/docs/main/howto/network_bridge_firewalld/#use-incus-firewall
---
 nixos/modules/virtualisation/incus.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'nixos')

diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix
index 3bbe0ba458516..a561c5682ae58 100644
--- a/nixos/modules/virtualisation/incus.nix
+++ b/nixos/modules/virtualisation/incus.nix
@@ -107,6 +107,13 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(config.networking.firewall.enable && !config.networking.nftables.enable && config.virtualisation.incus.enable);
+        message = "Incus on NixOS is unsupported using iptables. Set `networking.nftables.enable = true;`";
+      }
+    ];
+
     # https://github.com/lxc/incus/blob/f145309929f849b9951658ad2ba3b8f10cbe69d1/doc/reference/server_settings.md
     boot.kernel.sysctl = {
       "fs.aio-max-nr" = lib.mkDefault 524288;
-- 
cgit 1.4.1