nixos/shill: Add jam container

2024-06-20 23:38:28 +01:00 · 2024-06-20 23:38:28 +01:00 · dd9439b7fa
commit dd9439b7fa
parent bc9f266ef0
7 changed files with 139 additions and 6 deletions
--- a/lib/constants.nix
+++ b/lib/constants.nix
@ -111,7 +111,7 @@ rec {
  };

  pubDomain = "nul.ie";
-  colony = {
+  colony = rec {
    domain = "ams1.int.${pubDomain}";
    pubV4 = "94.142.240.44";
    prefixes = with lib.my.net.cidr; rec {
@ -148,6 +148,10 @@ rec {
        v4 = "94.142.242.255/32";
        v6 = subnet 8 1 cust.v6;
      };
+      jam = {
+        v4 = subnet 8 4 cust.v4;
+        v6 = subnet 8 2 cust.v6;
+      };

      vip1 = "94.142.241.224/30";
      vip2 = "94.142.242.254/31";
@ -160,6 +164,12 @@ rec {
      home.v6 = "2a0e:97c0:4d0::/48";
    };

+    custRouting = with lib.my.net.cidr; {
+      mail-vm = host 1 prefixes.cust.v4;
+      darts-vm = host 2 prefixes.cust.v4;
+      jam-ctr = host 3 prefixes.cust.v4;
+    };
+
    firewallForwards = aa: [
      {
        port = "http";
@ -173,6 +183,7 @@ rec {
        port = 8448;
        dst = aa.middleman.internal.ipv4.address;
      }
+
      {
        port = 25565;
        dst = aa.simpcraft-oci.internal.ipv4.address;
@ -181,6 +192,7 @@ rec {
        port = 25566;
        dst = aa.simpcraft-staging-oci.internal.ipv4.address;
      }
+
      {
        port = 25575;
        dst = aa.simpcraft-oci.internal.ipv4.address;
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
-  inherit (lib.my.c.colony) domain prefixes firewallForwards;
+  inherit (lib.my.c.colony) domain prefixes custRouting firewallForwards;
 in
 {
  imports = [ ./vms ];
@ -276,6 +276,10 @@ in
                      Destination = lib.my.c.tailscale.prefix.v6;
                      Gateway = allAssignments.shill.internal.ipv6.address;
                    }
+                    {
+                      Destination = prefixes.jam.v6;
+                      Gateway = allAssignments.shill.internal.ipv6.address;
+                    }

                    {
                      Destination = prefixes.oci.v4;
@ -307,7 +311,7 @@ in
              "90-vm-mail" = {
                matchConfig.Name = "vm-mail";
                address = [
-                  (net.cidr.subnet 8 1 prefixes.cust.v4)
+                  "${custRouting.mail-vm}/32"
                  prefixes.mail.v6
                ];
                networkConfig = {
@ -330,7 +334,7 @@ in
              "90-vm-darts" = {
                matchConfig.Name = "vm-darts";
                address = [
-                  (net.cidr.subnet 8 2 prefixes.cust.v4)
+                  "${custRouting.darts-vm}/32"
                  prefixes.darts.v6
                ];
                networkConfig = {
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@ -131,6 +131,7 @@
              (vm.lvmDisk "media")
              (vm.lvmDisk "minio")
              (vm.lvmDisk "nix-atticd")
+              (vm.lvmDisk "jam")
            ]);
          };

--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -394,6 +394,9 @@ in
                      # Safe enough to allow all SSH
                      tcp dport ssh accept

+                      # jam-ctr forwards
+                      ip daddr ${aa.shill.internal.ipv4.address} tcp dport 60022 accept
+
                      ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
                      ${matchInet "tcp dport { http, https } accept" "git"}
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@ -2,7 +2,7 @@
 let
  inherit (builtins) attrNames;
  inherit (lib.my) net;
-  inherit (lib.my.c.colony) prefixes;
+  inherit (lib.my.c.colony) prefixes custRouting;

  authZones = attrNames config.my.pdns.auth.bind.zones;
 in
@ -162,6 +162,10 @@ in

            andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

+            jam-cust IN A ${net.cidr.host 0 prefixes.jam.v4}
+            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
+            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
+
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@

--- a/nixos/boxes/colony/vms/shill/containers-ext.nix
+++ b/nixos/boxes/colony/vms/shill/containers-ext.nix
@ -0,0 +1,105 @@
+{ lib, pkgs, assignments, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.c.colony) prefixes custRouting;
+in
+{
+  fileSystems = {
+    "/mnt/jam" = {
+      device = "/dev/disk/by-label/jam";
+      fsType = "ext4";
+    };
+
+    "/var/lib/machines/jam" = {
+      device = "/mnt/jam";
+      options = [ "bind" ];
+    };
+  };
+
+  systemd = {
+    nspawn = {
+      jam = {
+        enable = true;
+        execConfig = {
+          Boot = true;
+          PrivateUsers = "pick";
+          LinkJournal = false;
+        };
+        networkConfig = {
+          Private = true;
+          VirtualEthernet = true;
+        };
+      };
+    };
+    network.networks = {
+      "50-ve-jam" = {
+        matchConfig = {
+          Kind = "veth";
+          Name = "ve-jam";
+        };
+        address = [
+          custRouting.jam-ctr
+          prefixes.jam.v6
+        ];
+        networkConfig = {
+          IPv6AcceptRA = false;
+          IPv6SendRA = true;
+        };
+        ipv6Prefixes = [
+          {
+            ipv6PrefixConfig.Prefix = prefixes.jam.v6;
+          }
+        ];
+        routes = map (r: { routeConfig = r; }) [
+          {
+            Destination = prefixes.jam.v4;
+            Scope = "link";
+          }
+        ];
+      };
+    };
+    services = {
+      "systemd-nspawn@jam" = {
+        overrideStrategy = "asDropin";
+
+        serviceConfig = {
+          CPUQuota = "400%";
+          MemoryHigh = "4G";
+          MemoryMax = "4.5G";
+        };
+
+        wantedBy = [ "machines.target" ];
+      };
+    };
+  };
+
+  my = {
+    firewall =
+    let
+      jamIP = net.cidr.host 0 prefixes.jam.v4;
+    in
+    {
+      nat.forwardPorts."${assignments.internal.ipv4.address}" = [
+        {
+          port = 60022;
+          dst = jamIP;
+          dstPort = "ssh";
+        }
+      ];
+      extraRules = ''
+        table inet filter {
+          chain forward {
+            iifname { ve-jam } oifname vms accept
+            iifname vms oifname { ve-jam } accept
+          }
+        }
+
+        table inet nat {
+          chain postrouting {
+            ip saddr ${jamIP} snat to ${assignments.internal.ipv4.address}
+          }
+        }
+      '';
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@ -49,7 +49,11 @@ in
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+        imports = [
+          "${modulesPath}/profiles/qemu-guest.nix"
+
+          ./containers-ext.nix
+        ];

        config = mkMerge [
          {