Merge pull request #290976 from adamcstephens/incus/nft

nixos/incus: assert nftables is used when firewall is enabled
2025-07-13 21:50:33 +03:00 · 2024-03-02 17:40:44 +01:00 · 2024-03-02 17:40:44 +01:00 · 55ead8c56a
commit 55ead8c56a
parent a217ccfe1f 6a0ad369f2
1 changed files with 7 additions and 0 deletions
--- a/nixos/modules/virtualisation/incus.nix
+++ b/nixos/modules/virtualisation/incus.nix
@ -107,6 +107,13 @@ in
  };

  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(config.networking.firewall.enable && !config.networking.nftables.enable && config.virtualisation.incus.enable);
+        message = "Incus on NixOS is unsupported using iptables. Set `networking.nftables.enable = true;`";
+      }
+    ];
+
    # https://github.com/lxc/incus/blob/f145309929f849b9951658ad2ba3b8f10cbe69d1/doc/reference/server_settings.md
    boot.kernel.sysctl = {
      "fs.aio-max-nr" = lib.mkDefault 524288;