Switch to nftables

nixos/machines/hera/network.nix

@@ -35,14 +35,14 @@ in {
       interface = "ens18";
     };
 
-    firewall = {
-      extraCommands = ''
-        ip6tables -A INPUT -i m0wire -j ACCEPT
-        ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
-        ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
-      '';
-    };
+    #firewall = {
+    #  extraCommands = ''
+    #    ip6tables -A INPUT -i m0wire -j ACCEPT
+    #    ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
+    #    ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    #    ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
+    #  '';
+    #};
 
     bridges.bridge.interfaces = [];
     interfaces.bridge = {

nixos/machines/zeus/configuration.nix

@@ -161,10 +161,10 @@ in {
       cleanupInterval = "15m";
       snapshotInterval = "*:00/3:00";
     };
-    prometheus.exporters.node = {
-      firewallFilter = "-i m0wire -p tcp -m tcp -m multiport --dports 9100,9558";
-      openFirewall = true;
-    };
+    #prometheus.exporters.node = {
+    # firewallFilter = "-i m0wire -p tcp -m tcp -m multiport --dports 9100,9558";
+    # openFirewall = lib.mkForce false;
+    #};
     syncthing =
       {
         enable = true;

nixos/roles/default.nix

@@ -171,17 +171,17 @@
   services = {
     logind.killUserProcesses = false;
     journald.extraConfig = "SystemMaxUse=5G";
-    prometheus.exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = ["systemd" "logind"];
-        disabledCollectors = ["timex"];
-      };
-      nginx = {
-        inherit (config.services.nginx) enable;
-        openFirewall = true;
-      };
-    };
+    #prometheus.exporters = {
+    #  node = {
+    #    enable = false;
+    #    enabledCollectors = ["systemd" "logind"];
+    #    disabledCollectors = ["timex"];
+    #  };
+    #  nginx = {
+    #    inherit (config.services.nginx) enable;
+    #    # openFirewall = true;
+    #  };
+    #};
     nginx = {
       statusPage = true;
       recommendedOptimisation = true;

nixos/roles/monitoring/folder-size-exporter.nix

@@ -5,7 +5,7 @@
 }: let
   textfilesDir = "/var/cache/prometheus-textfiles";
 in {
-  services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory /var/cache/prometheus-textfiles"];
+  # services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory /var/cache/prometheus-textfiles"];
   systemd = {
     services.folder-size-exporter = {
       description = "Write folder size for promtext exporter";

nixos/roles/standalone/default.nix

@@ -2,7 +2,39 @@
   pkgs,
   config,
   ...
-}: {
+}: let
+  inherit (import ../../../nix/sources.nix) nixos-unstable;
+  networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
+in {
+  # nftables using module not available in 22.11.
+  disabledModules = [
+    "services/networking/firewall.nix"
+    "services/networking/nftables.nix"
+    "services/networking/nat.nix"
+    "services/networking/redsocks.nix"
+    "services/networking/miniupnpd.nix"
+    "services/monitoring/prometheus/exporters.nix"
+    "services/audio/roon-server.nix"
+    "services/audio/roon-bridge.nix"
+  ];
+
+  imports = [
+    (networkingModule "firewall-iptables")
+    (networkingModule "firewall-nftables")
+    (networkingModule "firewall")
+    (networkingModule "nat-iptables")
+    (networkingModule "nat-nftables")
+    (networkingModule "nat")
+    (networkingModule "nftables")
+  ];
+
+  networking = {
+    firewall = {
+      enable = true; # It’s the default, but better make sure.
+    };
+    nftables.enable = true; # Uses firewall variables since 23.05
+  };
+
   boot = {
     plymouth.enable = true;
     loader = {