From dd9439b7fa8a4643db0ec7bb92a021574111fe6a Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Thu, 20 Jun 2024 23:38:28 +0100 Subject: [PATCH] nixos/shill: Add jam container --- lib/constants.nix | 14 ++- nixos/boxes/colony/default.nix | 10 +- nixos/boxes/colony/vms/default.nix | 1 + nixos/boxes/colony/vms/estuary/default.nix | 3 + nixos/boxes/colony/vms/estuary/dns.nix | 6 +- .../boxes/colony/vms/shill/containers-ext.nix | 105 ++++++++++++++++++ nixos/boxes/colony/vms/shill/default.nix | 6 +- 7 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 nixos/boxes/colony/vms/shill/containers-ext.nix diff --git a/lib/constants.nix b/lib/constants.nix index 0d26161..7df7e2d 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -111,7 +111,7 @@ rec { }; pubDomain = "nul.ie"; - colony = { + colony = rec { domain = "ams1.int.${pubDomain}"; pubV4 = "94.142.240.44"; prefixes = with lib.my.net.cidr; rec { @@ -148,6 +148,10 @@ rec { v4 = "94.142.242.255/32"; v6 = subnet 8 1 cust.v6; }; + jam = { + v4 = subnet 8 4 cust.v4; + v6 = subnet 8 2 cust.v6; + }; vip1 = "94.142.241.224/30"; vip2 = "94.142.242.254/31"; @@ -160,6 +164,12 @@ rec { home.v6 = "2a0e:97c0:4d0::/48"; }; + custRouting = with lib.my.net.cidr; { + mail-vm = host 1 prefixes.cust.v4; + darts-vm = host 2 prefixes.cust.v4; + jam-ctr = host 3 prefixes.cust.v4; + }; + firewallForwards = aa: [ { port = "http"; @@ -173,6 +183,7 @@ rec { port = 8448; dst = aa.middleman.internal.ipv4.address; } + { port = 25565; dst = aa.simpcraft-oci.internal.ipv4.address; @@ -181,6 +192,7 @@ rec { port = 25566; dst = aa.simpcraft-staging-oci.internal.ipv4.address; } + { port = 25575; dst = aa.simpcraft-oci.internal.ipv4.address; diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 86b2e23..08802bd 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.c.colony) domain prefixes firewallForwards; + inherit (lib.my.c.colony) domain prefixes custRouting firewallForwards; in { imports = [ ./vms ]; @@ -276,6 +276,10 @@ in Destination = lib.my.c.tailscale.prefix.v6; Gateway = allAssignments.shill.internal.ipv6.address; } + { + Destination = prefixes.jam.v6; + Gateway = allAssignments.shill.internal.ipv6.address; + } { Destination = prefixes.oci.v4; @@ -307,7 +311,7 @@ in "90-vm-mail" = { matchConfig.Name = "vm-mail"; address = [ - (net.cidr.subnet 8 1 prefixes.cust.v4) + "${custRouting.mail-vm}/32" prefixes.mail.v6 ]; networkConfig = { @@ -330,7 +334,7 @@ in "90-vm-darts" = { matchConfig.Name = "vm-darts"; address = [ - (net.cidr.subnet 8 2 prefixes.cust.v4) + "${custRouting.darts-vm}/32" prefixes.darts.v6 ]; networkConfig = { diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index fba4a0d..5ec76c8 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -131,6 +131,7 @@ (vm.lvmDisk "media") (vm.lvmDisk "minio") (vm.lvmDisk "nix-atticd") + (vm.lvmDisk "jam") ]); }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index 4136e2c..f36dedb 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -394,6 +394,9 @@ in # Safe enough to allow all SSH tcp dport ssh accept + # jam-ctr forwards + ip daddr ${aa.shill.internal.ipv4.address} tcp dport 60022 accept + ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept ${matchInet "tcp dport { http, https } accept" "git"} ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index 215ff92..4c3c322 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -2,7 +2,7 @@ let inherit (builtins) attrNames; inherit (lib.my) net; - inherit (lib.my.c.colony) prefixes; + inherit (lib.my.c.colony) prefixes custRouting; authZones = attrNames config.my.pdns.auth.bind.zones; in @@ -162,6 +162,10 @@ in andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} + jam-cust IN A ${net.cidr.host 0 prefixes.jam.v4} + jam-fwd IN A ${allAssignments.shill.internal.ipv4.address} + jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6} + $TTL 3 _acme-challenge IN LUA TXT @@FILE@@ diff --git a/nixos/boxes/colony/vms/shill/containers-ext.nix b/nixos/boxes/colony/vms/shill/containers-ext.nix new file mode 100644 index 0000000..53c4f0d --- /dev/null +++ b/nixos/boxes/colony/vms/shill/containers-ext.nix @@ -0,0 +1,105 @@ +{ lib, pkgs, assignments, ... }: +let + inherit (lib.my) net; + inherit (lib.my.c.colony) prefixes custRouting; +in +{ + fileSystems = { + "/mnt/jam" = { + device = "/dev/disk/by-label/jam"; + fsType = "ext4"; + }; + + "/var/lib/machines/jam" = { + device = "/mnt/jam"; + options = [ "bind" ]; + }; + }; + + systemd = { + nspawn = { + jam = { + enable = true; + execConfig = { + Boot = true; + PrivateUsers = "pick"; + LinkJournal = false; + }; + networkConfig = { + Private = true; + VirtualEthernet = true; + }; + }; + }; + network.networks = { + "50-ve-jam" = { + matchConfig = { + Kind = "veth"; + Name = "ve-jam"; + }; + address = [ + custRouting.jam-ctr + prefixes.jam.v6 + ]; + networkConfig = { + IPv6AcceptRA = false; + IPv6SendRA = true; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = prefixes.jam.v6; + } + ]; + routes = map (r: { routeConfig = r; }) [ + { + Destination = prefixes.jam.v4; + Scope = "link"; + } + ]; + }; + }; + services = { + "systemd-nspawn@jam" = { + overrideStrategy = "asDropin"; + + serviceConfig = { + CPUQuota = "400%"; + MemoryHigh = "4G"; + MemoryMax = "4.5G"; + }; + + wantedBy = [ "machines.target" ]; + }; + }; + }; + + my = { + firewall = + let + jamIP = net.cidr.host 0 prefixes.jam.v4; + in + { + nat.forwardPorts."${assignments.internal.ipv4.address}" = [ + { + port = 60022; + dst = jamIP; + dstPort = "ssh"; + } + ]; + extraRules = '' + table inet filter { + chain forward { + iifname { ve-jam } oifname vms accept + iifname vms oifname { ve-jam } accept + } + } + + table inet nat { + chain postrouting { + ip saddr ${jamIP} snat to ${assignments.internal.ipv4.address} + } + } + ''; + }; + }; +} diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 27c50f4..c2c2d64 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -49,7 +49,11 @@ in inherit (lib.my) networkdAssignment; in { - imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + imports = [ + "${modulesPath}/profiles/qemu-guest.nix" + + ./containers-ext.nix + ]; config = mkMerge [ {