Add nixbox network reload that re-reads config and applies new network rules to a running VM without restarting it.
Why: Changing allowed domains or network mode currently requires nixbox down + nixbox up, which kills the VM and loses any in-progress work. Since all network filtering (nftables, dnsmasq, future proxy) runs on the host, rules can be swapped while the VM is live.
What gets reloaded:
- nftables rules — atomic replace via
nft -f
- dnsmasq — kill + restart with new
--server= args (~1s DNS interruption)
- Proxy ACLs (future) — SIGHUP or config reload
- Port allowlist — regenerated in nftables config
CLI:
nixbox network reload # re-read nixbox.nix, apply new rules
nixbox network status # show current mode, allowed domains
Edge cases:
- VM not running → error
- Config unchanged → skip with message (hash comparison)
- Mode transition (
off → filtered) → enable ip_forward, start dnsmasq
- Mode transition (
filtered → off) → kill dnsmasq, drop-all nftables
Add
nixbox network reloadthat re-reads config and applies new network rules to a running VM without restarting it.Why: Changing allowed domains or network mode currently requires
nixbox down+nixbox up, which kills the VM and loses any in-progress work. Since all network filtering (nftables, dnsmasq, future proxy) runs on the host, rules can be swapped while the VM is live.What gets reloaded:
nft -f--server=args (~1s DNS interruption)CLI:
Edge cases:
off→filtered) → enable ip_forward, start dnsmasqfiltered→off) → kill dnsmasq, drop-all nftables