6 files changed, 130 insertions, 5 deletions
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index 5f5d0ddb..de53dce5 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -498,6 +498,9 @@
          bind = { address = "/home/gkleen/.ssh/emacs-server"; };
        }
      ];
+      extraOptions = {
+        StreamLocalBindUnlink = "yes";
+      };
    };
  "gitlab.uniworx.de" =
    { user = "git";
diff --git a/flake.nix b/flake.nix
index fd18ba0b..746c9134 100644
--- a/flake.nix
+++ b/flake.nix
@@ -133,7 +133,7 @@
      utils = import ./utils { inherit lib; };
      inherit (utils) nixImport overrideModule;
      inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr;
-      inherit (lib.strings) escapeNixString;
+      inherit (lib.strings) escapeNixString hasSuffix;
      accountUserName = accountName:
        let
@@ -225,6 +225,9 @@
      activateNixosConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (mapAttrs' (hostName: nixosConfig: nameValuePair "${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${nixosConfig.config.system.build.toplevel}/bin/switch-to-configuration"; } else null)) self.nixosConfigurations));
      activateHomeManagerConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (listToAttrs (concatLists (mapAttrsToList (hostName: nixosConfig: mapAttrsToList (userName: userCfg: nameValuePair "${userName}@${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${userCfg.home.activationPackage}/activate"; } else null)) nixosConfig.config.home-manager.users) self.nixosConfigurations))));
+      installerShells = system: pkgs: mapAttrs (installerName: config: pkgs.callPackage ./installer/shell.nix {
+        inherit system installerName config;
+      }) (filterAttrs (n: _v: hasSuffix "-netboot" n) installerNixosConfigurations);
      overlayPaths = nixImport rec { dir = ./overlays; _import = (path: _name: dir + "/${path}"); };
@@ -270,7 +273,7 @@
        apps = foldr recursiveUpdate {} [activateNixosConfigurations activateHomeManagerConfigurations];
-        devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); });
+        devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); } // installerShells system systemPkgs);
        templates.default = {
          path = ./.;
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c55cc7a8..bde5cdf8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -288,8 +288,8 @@ in {
        bogus-priv = true;
        no-hosts = true;
        listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];
-        interface = "virbr0";
+        # interface = "virbr0";
-        except-interface = "lo";
+        # except-interface = "lo";
        bind-interfaces = true;
        domain = "libvirt,192.168.122.0/24";
        dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index e2ac45c6..33c17253 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -90,6 +90,7 @@ table inet filter {
  counter libvirt-dns {}
+  chain forward_tmp {}
  chain forward {
    type filter hook forward priority filter
    policy drop
@@ -100,6 +101,8 @@ table inet filter {
    iifname lo counter name fw-lo accept
+    jump forward_tmp
    iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
    oifname virbr0 ct state {established, related} counter name fw-libvirt accept
@@ -110,6 +113,7 @@ table inet filter {
    ct state new counter name reject-icmp-fw reject
  }
+  chain input_tmp {}
  chain input {
    type filter hook input priority filter
    policy drop
@@ -125,6 +129,8 @@ table inet filter {
    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
    meta l4proto $icmp_protos counter name icmp-rx accept
+    jump input_tmp
    tcp dport 22 counter name ssh-rx accept
    udp dport 60000-61000 counter name mosh-rx accept
@@ -180,11 +186,13 @@ table inet filter {
 table ip nat {
  counter libvirt-nat {}
+  chain postrouting_tmp {}
  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept
    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+    jump postrouting_tmp
  }
 }
@@ -202,10 +210,12 @@ table ip6 nat {
 table ip mss_clamp {
  counter libvirt-mss-clamp {}
+  chain postrouting_tmp {}
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept
    iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+    jump postrouting_tmp
  }
 }
diff --git a/installer/default.nix b/installer/default.nix
index a0c84182..9043d59b 100644
--- a/installer/default.nix
+++ b/installer/default.nix
@@ -26,11 +26,28 @@
    };
    environment.systemPackages = with pkgs; [
-      nvme-cli iotop mosh
+      nvme-cli iotop pciutils bottom
+      cudatoolkit
    ];
    zramSwap.enable = true;
+    users.defaultUserShell = pkgs.zsh;
+    programs = {
+      mosh.enable = true;
+      tmux.enable = true;
+      zsh.enable = true;
+    };
+    # nvidia
+    services.xserver.videoDrivers = [ "nvidia" ];
+    systemd.services.nvidia-control-devices = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.linuxPackages.nvidia_x11.bin}/bin/nvidia-smi";
+    };
+    nixpkgs.config.allowUnfree = true;
    system.stateVersion = config.system.nixos.release; # No state in installer
  };
 }
diff --git a/installer/shell.nix b/installer/shell.nix
new file mode 100644
index 00000000..043f0ddc
--- /dev/null
+++ b/installer/shell.nix
@@ -0,0 +1,92 @@
+{ system, installerName, config
+, runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell
+}:
+let
+  pxeBuild = config.config.system.build;
+  pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" {
+    nativeBuildInputs = [ makeWrapper ];
+  } ''
+    mkdir -p $out/bin
+    makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \
+      --add-flags boot \
+      --add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \
+      --add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \
+      --add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind"
+  '';
+  udhcpd = writeShellApplication {
+    name = "udhcpd";
+    runtimeInputs = [ coreutils ];
+    text = ''
+      [[ -n "''${INTERFACE-}" ]] || exit 2
+      _LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases)
+      exec ${busybox}/bin/udhcpd -f <(cat <<EOF
+        interface $INTERFACE
+        lease_file $_LEASES_FILE
+        start 10.0.0.128
+        end 10.0.0.254
+        max_leases 127
+        opt dns 8.8.8.8
+        option subnet 255.255.255.0
+        opt router 10.0.0.1
+        option lease 30
+      EOF
+      )
+    '';
+  };
+  nft_apply = writeShellApplication {
+    name = "pxe-nft-apply";
+    runtimeInputs = [ nftables ];
+    text = ''
+      [[ -n "''${INTERFACE-}" ]] || exit 2
+      exec nft -f - <<EOF
+        table inet filter {
+          chain forward_tmp {
+            iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept
+            oifname $INTERFACE ct state {established, related} counter accept
+          }
+          chain input_tmp {
+            iifname $INTERFACE udp dport {67,69,4011} counter accept
+            iifname $INTERFACE tcp dport 64172 counter accept
+          }
+        }
+        table ip nat {
+          chain postrouting_tmp {
+            iifname $INTERFACE oifname != $INTERFACE counter masquerade
+          }
+        }
+        table ip mss_clamp {
+          chain postrouting_tmp {
+            iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+          }
+        }
+      EOF
+    '';
+  };
+  nft_flush = writeShellApplication {
+    name = "pxe-nft-flush";
+    runtimeInputs = [ nftables ];
+    text = ''
+      exec nft -f - <<EOF
+        flush chain inet filter forward_tmp
+        flush chain inet filter input_tmp
+        flush chain ip nat postrouting_tmp
+        flush chain ip mss_clamp postrouting_tmp
+      EOF
+    '';
+  };
+in mkShell {
+  name = installerName;
+  nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ];
+}

diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix index 5f5d0ddb..de53dce5 100644 --- a/accounts/gkleen@sif/ssh-hosts.nix +++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -498,6 +498,9 @@
498	bind = { address = "/home/gkleen/.ssh/emacs-server"; };	498	bind = { address = "/home/gkleen/.ssh/emacs-server"; };
499	}	499	}
500	];	500	];
		501	extraOptions = {
		502	StreamLocalBindUnlink = "yes";
		503	};
501	};	504	};
502	"gitlab.uniworx.de" =	505	"gitlab.uniworx.de" =
503	{ user = "git";	506	{ user = "git";


diff --git a/flake.nix b/flake.nix index fd18ba0b..746c9134 100644 --- a/flake.nix +++ b/flake.nix
@@ -133,7 +133,7 @@
133	utils = import ./utils { inherit lib; };	133	utils = import ./utils { inherit lib; };
134	inherit (utils) nixImport overrideModule;	134	inherit (utils) nixImport overrideModule;
135	inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr;	135	inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr;
136	inherit (lib.strings) escapeNixString;	136	inherit (lib.strings) escapeNixString hasSuffix;
137		137
138	accountUserName = accountName:	138	accountUserName = accountName:
139	let	139	let
@@ -225,6 +225,9 @@
225		225
226	activateNixosConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (mapAttrs' (hostName: nixosConfig: nameValuePair "${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${nixosConfig.config.system.build.toplevel}/bin/switch-to-configuration"; } else null)) self.nixosConfigurations));	226	activateNixosConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (mapAttrs' (hostName: nixosConfig: nameValuePair "${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${nixosConfig.config.system.build.toplevel}/bin/switch-to-configuration"; } else null)) self.nixosConfigurations));
227	activateHomeManagerConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (listToAttrs (concatLists (mapAttrsToList (hostName: nixosConfig: mapAttrsToList (userName: userCfg: nameValuePair "${userName}@${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${userCfg.home.activationPackage}/activate"; } else null)) nixosConfig.config.home-manager.users) self.nixosConfigurations))));	227	activateHomeManagerConfigurations = forAllSystems (system: _pkgs: filterAttrs (_n: v: v != null) (listToAttrs (concatLists (mapAttrsToList (hostName: nixosConfig: mapAttrsToList (userName: userCfg: nameValuePair "${userName}@${hostName}-activate" (if system == nixosConfig.config.nixpkgs.system then { type = "app"; program = "${userCfg.home.activationPackage}/activate"; } else null)) nixosConfig.config.home-manager.users) self.nixosConfigurations))));
		228	installerShells = system: pkgs: mapAttrs (installerName: config: pkgs.callPackage ./installer/shell.nix {
		229	inherit system installerName config;
		230	}) (filterAttrs (n: _v: hasSuffix "-netboot" n) installerNixosConfigurations);
228		231
229	overlayPaths = nixImport rec { dir = ./overlays; _import = (path: _name: dir + "/${path}"); };	232	overlayPaths = nixImport rec { dir = ./overlays; _import = (path: _name: dir + "/${path}"); };
230		233
@@ -270,7 +273,7 @@
270		273
271	apps = foldr recursiveUpdate {} [activateNixosConfigurations activateHomeManagerConfigurations];	274	apps = foldr recursiveUpdate {} [activateNixosConfigurations activateHomeManagerConfigurations];
272		275
273	devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); });	276	devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); } // installerShells system systemPkgs);
274		277
275	templates.default = {	278	templates.default = {
276	path = ./.;	279	path = ./.;


diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index c55cc7a8..bde5cdf8 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -288,8 +288,8 @@ in {
288	bogus-priv = true;	288	bogus-priv = true;
289	no-hosts = true;	289	no-hosts = true;
290	listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];	290	listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];
291	interface = "virbr0";	291	# interface = "virbr0";
292	except-interface = "lo";	292	# except-interface = "lo";
293	bind-interfaces = true;	293	bind-interfaces = true;
294	domain = "libvirt,192.168.122.0/24";	294	domain = "libvirt,192.168.122.0/24";
295	dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];	295	dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];


diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index e2ac45c6..33c17253 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft
@@ -90,6 +90,7 @@ table inet filter {
90	counter libvirt-dns {}	90	counter libvirt-dns {}
91		91
92		92
		93	chain forward_tmp {}
93	chain forward {	94	chain forward {
94	type filter hook forward priority filter	95	type filter hook forward priority filter
95	policy drop	96	policy drop
@@ -100,6 +101,8 @@ table inet filter {
100		101
101	iifname lo counter name fw-lo accept	102	iifname lo counter name fw-lo accept
102		103
		104	jump forward_tmp
		105
103	iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept	106	iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
104	oifname virbr0 ct state {established, related} counter name fw-libvirt accept	107	oifname virbr0 ct state {established, related} counter name fw-libvirt accept
105		108
@@ -110,6 +113,7 @@ table inet filter {
110	ct state new counter name reject-icmp-fw reject	113	ct state new counter name reject-icmp-fw reject
111	}	114	}
112		115
		116	chain input_tmp {}
113	chain input {	117	chain input {
114	type filter hook input priority filter	118	type filter hook input priority filter
115	policy drop	119	policy drop
@@ -125,6 +129,8 @@ table inet filter {
125	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop	129	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
126	meta l4proto $icmp_protos counter name icmp-rx accept	130	meta l4proto $icmp_protos counter name icmp-rx accept
127		131
		132	jump input_tmp
		133
128	tcp dport 22 counter name ssh-rx accept	134	tcp dport 22 counter name ssh-rx accept
129	udp dport 60000-61000 counter name mosh-rx accept	135	udp dport 60000-61000 counter name mosh-rx accept
130		136
@@ -180,11 +186,13 @@ table inet filter {
180	table ip nat {	186	table ip nat {
181	counter libvirt-nat {}	187	counter libvirt-nat {}
182		188
		189	chain postrouting_tmp {}
183	chain postrouting {	190	chain postrouting {
184	type nat hook postrouting priority srcnat	191	type nat hook postrouting priority srcnat
185	policy accept	192	policy accept
186		193
187	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade	194	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
		195	jump postrouting_tmp
188	}	196	}
189	}	197	}
190		198
@@ -202,10 +210,12 @@ table ip6 nat {
202	table ip mss_clamp {	210	table ip mss_clamp {
203	counter libvirt-mss-clamp {}	211	counter libvirt-mss-clamp {}
204		212
		213	chain postrouting_tmp {}
205	chain postrouting {	214	chain postrouting {
206	type filter hook postrouting priority mangle	215	type filter hook postrouting priority mangle
207	policy accept	216	policy accept
208		217
209	iifname virbr0 oifname != virbr0 tcp flags & (syn\|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu	218	iifname virbr0 oifname != virbr0 tcp flags & (syn\|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
		219	jump postrouting_tmp
210	}	220	}
211	}	221	}


diff --git a/installer/default.nix b/installer/default.nix index a0c84182..9043d59b 100644 --- a/installer/default.nix +++ b/installer/default.nix
@@ -26,11 +26,28 @@
26	};	26	};
27		27
28	environment.systemPackages = with pkgs; [	28	environment.systemPackages = with pkgs; [
29	nvme-cli iotop mosh	29	nvme-cli iotop pciutils bottom
		30
		31	cudatoolkit
30	];	32	];
31		33
32	zramSwap.enable = true;	34	zramSwap.enable = true;
33		35
		36	users.defaultUserShell = pkgs.zsh;
		37	programs = {
		38	mosh.enable = true;
		39	tmux.enable = true;
		40	zsh.enable = true;
		41	};
		42
		43	# nvidia
		44	services.xserver.videoDrivers = [ "nvidia" ];
		45	systemd.services.nvidia-control-devices = {
		46	wantedBy = [ "multi-user.target" ];
		47	serviceConfig.ExecStart = "${pkgs.linuxPackages.nvidia_x11.bin}/bin/nvidia-smi";
		48	};
		49	nixpkgs.config.allowUnfree = true;
		50
34	system.stateVersion = config.system.nixos.release; # No state in installer	51	system.stateVersion = config.system.nixos.release; # No state in installer
35	};	52	};
36	}	53	}


diff --git a/installer/shell.nix b/installer/shell.nix new file mode 100644 index 00000000..043f0ddc --- /dev/null +++ b/installer/shell.nix
@@ -0,0 +1,92 @@
		1	{ system, installerName, config
		2	, runCommand, makeWrapper, pixiecore, writeShellApplication, coreutils, busybox, nftables, mkShell
		3	}:
		4
		5	let
		6	pxeBuild = config.config.system.build;
		7	pixiecore-wrapped = runCommand "pixiecore-${system}-${installerName}" {
		8	nativeBuildInputs = [ makeWrapper ];
		9	} ''
		10	mkdir -p $out/bin
		11	makeWrapper ${pixiecore}/bin/pixiecore $out/bin/pixiecore-${installerName} \
		12	--add-flags boot \
		13	--add-flags "${pxeBuild.kernel}/bzImage" --add-flags "${pxeBuild.netbootRamdisk}/initrd" \
		14	--add-flags "--cmdline \"init=${pxeBuild.toplevel}/init loglevel=4\"" \
		15	--add-flags "-dt" --add-flags "--status-port 64172" --add-flags "--port 64172" --add-flags "--dhcp-no-bind"
		16	'';
		17	udhcpd = writeShellApplication {
		18	name = "udhcpd";
		19
		20	runtimeInputs = [ coreutils ];
		21
		22	text = ''
		23	[[ -n "''${INTERFACE-}" ]] \|\| exit 2
		24
		25	_LEASES_FILE=$(mktemp --tmpdir udhcpd.XXXXXXXXXX.leases)
		26	exec ${busybox}/bin/udhcpd -f <(cat <<EOF
		27	interface $INTERFACE
		28	lease_file $_LEASES_FILE
		29	start 10.0.0.128
		30	end 10.0.0.254
		31	max_leases 127
		32	opt dns 8.8.8.8
		33	option subnet 255.255.255.0
		34	opt router 10.0.0.1
		35	option lease 30
		36	EOF
		37	)
		38	'';
		39	};
		40	nft_apply = writeShellApplication {
		41	name = "pxe-nft-apply";
		42
		43	runtimeInputs = [ nftables ];
		44
		45	text = ''
		46	[[ -n "''${INTERFACE-}" ]] \|\| exit 2
		47
		48	exec nft -f - <<EOF
		49	table inet filter {
		50	chain forward_tmp {
		51	iifname $INTERFACE oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4, virbr0} counter accept
		52	oifname $INTERFACE ct state {established, related} counter accept
		53	}
		54
		55	chain input_tmp {
		56	iifname $INTERFACE udp dport {67,69,4011} counter accept
		57	iifname $INTERFACE tcp dport 64172 counter accept
		58	}
		59	}
		60
		61	table ip nat {
		62	chain postrouting_tmp {
		63	iifname $INTERFACE oifname != $INTERFACE counter masquerade
		64	}
		65	}
		66
		67	table ip mss_clamp {
		68	chain postrouting_tmp {
		69	iifname $INTERFACE oifname != $INTERFACE tcp flags & (syn\|rst) == syn counter tcp option maxseg size set rt mtu
		70	}
		71	}
		72	EOF
		73	'';
		74	};
		75	nft_flush = writeShellApplication {
		76	name = "pxe-nft-flush";
		77
		78	runtimeInputs = [ nftables ];
		79
		80	text = ''
		81	exec nft -f - <<EOF
		82	flush chain inet filter forward_tmp
		83	flush chain inet filter input_tmp
		84	flush chain ip nat postrouting_tmp
		85	flush chain ip mss_clamp postrouting_tmp
		86	EOF
		87	'';
		88	};
		89	in mkShell {
		90	name = installerName;
		91	nativeBuildInputs = [ pixiecore-wrapped udhcpd nft_apply nft_flush ];
		92	}