common/incus: make bridge trusted, add user as admin

hosts/legion/default.nix

@@ -30,7 +30,6 @@
         hostName = "legion";
         hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
         networkmanager.enable = true;
-        nftables.enable = true;
       };
       systemd.services.NetworkManager-wait-online.enable = false;
 

hosts/ude/default.nix

@@ -19,7 +19,6 @@
         loader.systemd-boot.configurationLimit = 1;
         loader.efi.canTouchEfiVariables = true;
       };
-      networking.nftables.enable = true;
 
       common.hercules.enable = true;
       services.hercules-ci-agent.settings.concurrentTasks = 6;

modules/system/common/incus.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   pkgs,
+  username,
   ...
 }:
 let
@@ -14,11 +15,13 @@ let
     environment.systemPackages = [ cfg.clientPackage ];
   };
 
-  linuxConfig = lib.optionalAttrs isLinux {
+  linuxConfig = lib.optionalAttrs isLinux (
-    virtualisation.incus = lib.mkIf (!cfg.clientOnly) {
+    lib.mkIf (!cfg.clientOnly) {
+      virtualisation.incus = {
         enable = true;
         inherit (cfg) package clientPackage;
         preseed = {
+          # TODO: Default profile with storage pool
           networks = [
             {
               name = "incusbr0";
@@ -40,7 +43,13 @@ let
           ];
         };
       };
+      networking = {
+        nftables.enable = true;
+        firewall.trustedInterfaces = [ "incusbr0" ];
       };
+      users.users.${username}.extraGroups = [ "incus-admin" ];
+    }
+  );
 
   darwinConfig = lib.optionalAttrs (!isLinux) {
     assertions = [