docker shoud set firewall

2026-01-12 04:39:23 +08:00 · 2023-08-14 23:51:07 +08:00
parent 38db6aa28c
commit f7f7680a68
3 changed files with 17 additions and 13 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -231,7 +231,7 @@
 										};
 									};
 								};
-								firewall.trustedInterfaces = [ "docker0" "virbr0" "waydroid0" ];
+								firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
 								acme =
 								{
 									enable = true;
--- a/modules/virtualization/default.nix
+++ b/modules/virtualization/default.nix
@@ -19,21 +19,25 @@ inputs:
 		(mkIf inputs.config.nixos.virtualization.waydroid.enable { virtualisation = { waydroid.enable = true; }; })
 		# docker
 		(
-			mkIf inputs.config.nixos.virtualization.docker.enable { virtualisation.docker =
+			mkIf inputs.config.nixos.virtualization.docker.enable
 			{
-				# enable = true;
-				rootless =
+				virtualisation.docker =
 				{
-					enable = true; setSocketVariable = true;
-					daemon.settings =
+					# enable = true;
+					rootless =
 					{
-						features.buildkit = true;
-						dns = [ "1.1.1.1" ];
+						enable = true; setSocketVariable = true;
+						daemon.settings =
+						{
+							features.buildkit = true;
+							dns = [ "1.1.1.1" ];
+						};
 					};
+					enableNvidia = builtins.elem "nvidia" inputs.config.nixos.hardware.gpus;
+					storageDriver = "overlay2";
 				};
-				enableNvidia = builtins.elem "nvidia" inputs.config.nixos.hardware.gpus;
-				storageDriver = "overlay2";
-			};}
+				nixos.services.firewall.trustedInterfaces = [ "docker0" ];
+			}
 		)
 		# kvmHost
 		(
--- a/secrets/chn-PC.yaml
+++ b/secrets/chn-PC.yaml
@@ -32,8 +32,8 @@ sops:
            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-14T14:09:50Z"
-    mac: ENC[AES256_GCM,data:duycOyMKC+507izT1LwIJtdcO9VJCQd7Meb4HDxTJVzzUNRpi2OYZt0FoncXiXSut7W8C2vw4rbCXdheQskaYTW7EcIO7uV9rsdvviumiXqhbrPYPPoHImLlzdh0PxX6WkIGKc4TcXf3urJ36jkQjHhMGbBFvzi4dGJYJ2dY3To=,iv:zXoOiR3g/hpHGIcHUJYrReNJu4GgY+fbJ/1vJCPGyck=,tag:XFgD/FAhiuCxmgTzTEzNlw==,type:str]
+    lastmodified: "2023-08-14T15:50:47Z"
+    mac: ENC[AES256_GCM,data:UcijF69T9ZpnUq0zD5D89e2cPZYvo4cvTg6BMJ/Vd/+w+s9V/7uKOLfVtM++VKaisr5kA9wAXQfwvtJaMiQsPmof4bsehJEdirTxzRYokl9A8+NIzyLSwyIwJ7x7pLtmAmMtrjrygCAK0Zpt/KqqiGOLjM27ay6JZponblGg+s4=,iv:yV9pGqGATN5YCIIj5hQO0MSpkEnHdvcdTGu3ETSy++w=,tag:br15TAFjN0KguFxCYv6Ofw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3