satoshipay: enable docker container->host connections

1 files changed, 17 insertions, 10 deletions

diff --git a/system/settings/satoshipay.nix b/system/settings/satoshipay.nix
index 952705cd..febe4da9 100644
--- a/system/settings/satoshipay.nix
+++ b/system/settings/satoshipay.nix
@@ -1,20 +1,21 @@
 { config, pkgs, fetchurl, lib, ... }:
 
-{ virtualisation = {
-  docker = let
-    daemonConfig = {
-      ipv6 = true;
-      fixed-cidr-v6 = "fd69:2074:9fcd:b0fd::/64";
-      features = {
-        buildkit = true;
-      };
+let
+  dockerConfig = {
+    ipv6 = true;
+    fixed-cidr-v6 = "fd69:2074:9fcd:b0fd::/64";
+    features = {
+      buildkit = true;
     };
-    in {
+  };
+in
+{ virtualisation = {
+  docker = {
       enable = true;
       enableOnBoot = false;
       liveRestore = false;
 
-      extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON daemonConfig)}";
+      extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON dockerConfig)}";
 
       autoPrune = {
         enable = true;
@@ -22,6 +23,12 @@
       };
     };
   };
+  networking.firewall.extraCommands = ''
+    iptables  -A nixos-fw -p udp --source 172.17.0.0/24         -j nixos-fw-accept
+    iptables  -A nixos-fw -p tcp --source 172.17.0.0/24         -j nixos-fw-accept
+    ip6tables -A nixos-fw -p tcp --source ${dockerConfig.fixed-cidr-v6} -j nixos-fw-accept
+    ip6tables -A nixos-fw -p udp --source ${dockerConfig.fixed-cidr-v6} -j nixos-fw-accept
+  '';
 
   services.mongodb = {
     enable = true;