From d9d0fbd0406873648c985d2b96d2a52c91f9fc9e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 18 Jan 2023 20:07:18 +0100
Subject: [PATCH] l sync-containers3: configure NAT more directly

---
 lass/3modules/sync-containers3.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix
index 7966f4097..8f6f74a3c 100644
--- a/lass/3modules/sync-containers3.nix
+++ b/lass/3modules/sync-containers3.nix
@@ -282,14 +282,19 @@ in {
     })
     (lib.mkIf (cfg.containers != {}) {
       # networking
+
+      # needed because otherwise we lose local dns
+      environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
+
+      boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
       systemd.network.networks.ctr0 = {
         name = "ctr0";
         address = [
           "10.233.0.1/24"
         ];
         networkConfig = {
-          IPForward = "yes";
-          IPMasquerade = "both";
+          # IPForward = "yes";
+          # IPMasquerade = "both";
           ConfigureWithoutCarrier = true;
           DHCPServer = "yes";
         };
@@ -306,6 +311,9 @@ in {
         { predicate = "-i ctr0"; target = "ACCEPT"; }
         { predicate = "-o ctr0"; target = "ACCEPT"; }
       ];
+      krebs.iptables.tables.nat.POSTROUTING.rules = [
+        { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; }
+      ];
     })
     (lib.mkIf cfg.inContainer.enable {
       users.groups.container_sync = {};