diff --git a/lib/constants.nix b/lib/constants.nix index 5d70ae9..4e202ad 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -64,6 +64,10 @@ v4 = "94.142.241.227/32"; v6 = subnet 8 0 cust.v6; }; + darts = { + v4 = "94.142.242.255/32"; + v6 = subnet 8 1 cust.v6; + }; vip1 = "94.142.241.224/30"; vip2 = "94.142.242.254/31"; diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 72eca01..e14067b 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -276,6 +276,29 @@ in } ]; }; + + "90-vm-darts" = { + matchConfig.Name = "vm-darts"; + address = [ + (net.cidr.subnet 8 2 prefixes.cust.v4) + prefixes.darts.v6 + ]; + networkConfig = { + IPv6AcceptRA = false; + IPv6SendRA = true; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = prefixes.darts.v6; + } + ]; + routes = map (r: { routeConfig = r; }) [ + { + Destination = prefixes.darts.v4; + Scope = "link"; + } + ]; + }; }; }; }; @@ -307,7 +330,7 @@ in firewall = { trustedInterfaces = [ "vms" ]; extraRules = '' - define cust = { vm-mail } + define cust = { vm-mail, vm-darts } table inet filter { chain forward { # Trust that the outer firewall has done the filtering! diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index 000706d..8cf5d50 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -31,7 +31,8 @@ driver = "file"; #filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso"; #filename = "/persist/home/dev/nixos-installer-devplayer0.iso"; - filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso"; + #filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso"; + filename = "/persist/home/dev/ubuntu-22.04.3-live-server-amd64.iso"; read-only = "on"; }; format.driver = "raw"; @@ -217,6 +218,24 @@ (vmLVM "mail" "data") ]; }; + + darts = { + uuid = "ee3882a9-5616-4fcb-83d7-89eb41a84d28"; + cpu = "host,topoext"; + smp = { + cpus = 4; + threads = 2; + }; + memory = 16384; + networks.public = { + bridge = null; + mac = "52:54:00:a8:29:cd"; + }; + cleanShutdown.timeout = 120; + drives = [ + (mkMerge [ (vmLVM "darts" "root") { frontendOpts.bootindex = 0; } ]) + ]; + }; }; }; }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index a4866d8..dd93b80 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -315,6 +315,10 @@ in Destination = prefixes.vip1; Gateway = allAssignments.colony.routing.ipv4.address; } + { + Destination = prefixes.darts.v4; + Gateway = allAssignments.colony.routing.ipv4.address; + } { Destination = prefixes.cust.v6; Gateway = allAssignments.colony.internal.ipv6.address; @@ -429,7 +433,7 @@ in return } chain filter-routing { - ip daddr ${prefixes.mail.v4} accept + ip daddr { ${prefixes.mail.v4}, ${prefixes.darts.v4} } accept ip6 daddr ${prefixes.cust.v6} accept tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index f60d269..090b351 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -152,6 +152,9 @@ in mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4} mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6} + darts-cust IN A ${net.cidr.host 0 prefixes.darts.v4} + darts-cust IN AAAA ${net.cidr.host 1 prefixes.darts.v6} + andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} $TTL 3 @@ -202,6 +205,8 @@ in 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2 IN PTR mail.nul.ie. + 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2 IN PTR darts-cust.${config.networking.domain}. + ${lib.my.dns.ptr6Records { inherit allAssignments names; domain = config.networking.domain;