Compare commits
2 Commits
1b083d298b
...
dd9439b7fa
| Author | SHA1 | Date | |
|---|---|---|---|
| dd9439b7fa | |||
| bc9f266ef0 |
@@ -111,7 +111,7 @@ rec {
|
||||
};
|
||||
|
||||
pubDomain = "nul.ie";
|
||||
colony = {
|
||||
colony = rec {
|
||||
domain = "ams1.int.${pubDomain}";
|
||||
pubV4 = "94.142.240.44";
|
||||
prefixes = with lib.my.net.cidr; rec {
|
||||
@@ -148,6 +148,10 @@ rec {
|
||||
v4 = "94.142.242.255/32";
|
||||
v6 = subnet 8 1 cust.v6;
|
||||
};
|
||||
jam = {
|
||||
v4 = subnet 8 4 cust.v4;
|
||||
v6 = subnet 8 2 cust.v6;
|
||||
};
|
||||
|
||||
vip1 = "94.142.241.224/30";
|
||||
vip2 = "94.142.242.254/31";
|
||||
@@ -160,6 +164,12 @@ rec {
|
||||
home.v6 = "2a0e:97c0:4d0::/48";
|
||||
};
|
||||
|
||||
custRouting = with lib.my.net.cidr; {
|
||||
mail-vm = host 1 prefixes.cust.v4;
|
||||
darts-vm = host 2 prefixes.cust.v4;
|
||||
jam-ctr = host 3 prefixes.cust.v4;
|
||||
};
|
||||
|
||||
firewallForwards = aa: [
|
||||
{
|
||||
port = "http";
|
||||
@@ -173,6 +183,7 @@ rec {
|
||||
port = 8448;
|
||||
dst = aa.middleman.internal.ipv4.address;
|
||||
}
|
||||
|
||||
{
|
||||
port = 25565;
|
||||
dst = aa.simpcraft-oci.internal.ipv4.address;
|
||||
@@ -181,6 +192,7 @@ rec {
|
||||
port = 25566;
|
||||
dst = aa.simpcraft-staging-oci.internal.ipv4.address;
|
||||
}
|
||||
|
||||
{
|
||||
port = 25575;
|
||||
dst = aa.simpcraft-oci.internal.ipv4.address;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{ lib, ... }:
|
||||
let
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c.colony) domain prefixes firewallForwards;
|
||||
inherit (lib.my.c.colony) domain prefixes custRouting firewallForwards;
|
||||
in
|
||||
{
|
||||
imports = [ ./vms ];
|
||||
@@ -276,6 +276,10 @@ in
|
||||
Destination = lib.my.c.tailscale.prefix.v6;
|
||||
Gateway = allAssignments.shill.internal.ipv6.address;
|
||||
}
|
||||
{
|
||||
Destination = prefixes.jam.v6;
|
||||
Gateway = allAssignments.shill.internal.ipv6.address;
|
||||
}
|
||||
|
||||
{
|
||||
Destination = prefixes.oci.v4;
|
||||
@@ -307,7 +311,7 @@ in
|
||||
"90-vm-mail" = {
|
||||
matchConfig.Name = "vm-mail";
|
||||
address = [
|
||||
(net.cidr.subnet 8 1 prefixes.cust.v4)
|
||||
"${custRouting.mail-vm}/32"
|
||||
prefixes.mail.v6
|
||||
];
|
||||
networkConfig = {
|
||||
@@ -330,7 +334,7 @@ in
|
||||
"90-vm-darts" = {
|
||||
matchConfig.Name = "vm-darts";
|
||||
address = [
|
||||
(net.cidr.subnet 8 2 prefixes.cust.v4)
|
||||
"${custRouting.darts-vm}/32"
|
||||
prefixes.darts.v6
|
||||
];
|
||||
networkConfig = {
|
||||
|
||||
@@ -131,6 +131,7 @@
|
||||
(vm.lvmDisk "media")
|
||||
(vm.lvmDisk "minio")
|
||||
(vm.lvmDisk "nix-atticd")
|
||||
(vm.lvmDisk "jam")
|
||||
]);
|
||||
};
|
||||
|
||||
|
||||
@@ -394,6 +394,9 @@ in
|
||||
# Safe enough to allow all SSH
|
||||
tcp dport ssh accept
|
||||
|
||||
# jam-ctr forwards
|
||||
ip daddr ${aa.shill.internal.ipv4.address} tcp dport 60022 accept
|
||||
|
||||
ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
|
||||
${matchInet "tcp dport { http, https } accept" "git"}
|
||||
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
let
|
||||
inherit (builtins) attrNames;
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c.colony) prefixes;
|
||||
inherit (lib.my.c.colony) prefixes custRouting;
|
||||
|
||||
authZones = attrNames config.my.pdns.auth.bind.zones;
|
||||
in
|
||||
@@ -162,6 +162,10 @@ in
|
||||
|
||||
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
|
||||
|
||||
jam-cust IN A ${net.cidr.host 0 prefixes.jam.v4}
|
||||
jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
|
||||
jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
|
||||
|
||||
$TTL 3
|
||||
_acme-challenge IN LUA TXT @@FILE@@
|
||||
|
||||
|
||||
105
nixos/boxes/colony/vms/shill/containers-ext.nix
Normal file
105
nixos/boxes/colony/vms/shill/containers-ext.nix
Normal file
@@ -0,0 +1,105 @@
|
||||
{ lib, pkgs, assignments, ... }:
|
||||
let
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c.colony) prefixes custRouting;
|
||||
in
|
||||
{
|
||||
fileSystems = {
|
||||
"/mnt/jam" = {
|
||||
device = "/dev/disk/by-label/jam";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
"/var/lib/machines/jam" = {
|
||||
device = "/mnt/jam";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
nspawn = {
|
||||
jam = {
|
||||
enable = true;
|
||||
execConfig = {
|
||||
Boot = true;
|
||||
PrivateUsers = "pick";
|
||||
LinkJournal = false;
|
||||
};
|
||||
networkConfig = {
|
||||
Private = true;
|
||||
VirtualEthernet = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
network.networks = {
|
||||
"50-ve-jam" = {
|
||||
matchConfig = {
|
||||
Kind = "veth";
|
||||
Name = "ve-jam";
|
||||
};
|
||||
address = [
|
||||
custRouting.jam-ctr
|
||||
prefixes.jam.v6
|
||||
];
|
||||
networkConfig = {
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = true;
|
||||
};
|
||||
ipv6Prefixes = [
|
||||
{
|
||||
ipv6PrefixConfig.Prefix = prefixes.jam.v6;
|
||||
}
|
||||
];
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
{
|
||||
Destination = prefixes.jam.v4;
|
||||
Scope = "link";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
services = {
|
||||
"systemd-nspawn@jam" = {
|
||||
overrideStrategy = "asDropin";
|
||||
|
||||
serviceConfig = {
|
||||
CPUQuota = "400%";
|
||||
MemoryHigh = "4G";
|
||||
MemoryMax = "4.5G";
|
||||
};
|
||||
|
||||
wantedBy = [ "machines.target" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
my = {
|
||||
firewall =
|
||||
let
|
||||
jamIP = net.cidr.host 0 prefixes.jam.v4;
|
||||
in
|
||||
{
|
||||
nat.forwardPorts."${assignments.internal.ipv4.address}" = [
|
||||
{
|
||||
port = 60022;
|
||||
dst = jamIP;
|
||||
dstPort = "ssh";
|
||||
}
|
||||
];
|
||||
extraRules = ''
|
||||
table inet filter {
|
||||
chain forward {
|
||||
iifname { ve-jam } oifname vms accept
|
||||
iifname vms oifname { ve-jam } accept
|
||||
}
|
||||
}
|
||||
|
||||
table inet nat {
|
||||
chain postrouting {
|
||||
ip saddr ${jamIP} snat to ${assignments.internal.ipv4.address}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -49,7 +49,11 @@ in
|
||||
inherit (lib.my) networkdAssignment;
|
||||
in
|
||||
{
|
||||
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
|
||||
imports = [
|
||||
"${modulesPath}/profiles/qemu-guest.nix"
|
||||
|
||||
./containers-ext.nix
|
||||
];
|
||||
|
||||
config = mkMerge [
|
||||
{
|
||||
|
||||
@@ -123,18 +123,7 @@ in
|
||||
(n: _: "ve-${n}")
|
||||
(filterAttrs (_: c: c.networking.bridge == null) cfg.instances);
|
||||
|
||||
systemd = mkMerge ([
|
||||
{
|
||||
# By symlinking to the original systemd-nspawn@.service for every instance we force the unit generator to
|
||||
# create overrides instead of replacing the unit entirely
|
||||
packages = [
|
||||
(pkgs.linkFarm "systemd-nspawn-containers" (map (n: {
|
||||
name = "etc/systemd/system/systemd-nspawn@${n}.service";
|
||||
path = "${pkgs.systemd}/example/systemd/system/systemd-nspawn@.service";
|
||||
}) (attrNames cfg.instances)))
|
||||
];
|
||||
}
|
||||
] ++ (mapAttrsToList (n: c: {
|
||||
systemd = mkMerge (mapAttrsToList (n: c: {
|
||||
nspawn."${n}" = {
|
||||
execConfig = {
|
||||
Boot = true;
|
||||
@@ -182,6 +171,9 @@ in
|
||||
c.containerSystem;
|
||||
in
|
||||
{
|
||||
# To prevent creating a whole new unit file
|
||||
overrideStrategy = "asDropin";
|
||||
|
||||
environment = {
|
||||
# systemd.nspawn units can't set the root directory directly, but /run/machines/${n} is one of the search paths
|
||||
root = "/run/machines/${n}";
|
||||
@@ -247,7 +239,7 @@ in
|
||||
Bridge = c.networking.bridge;
|
||||
};
|
||||
};
|
||||
}) cfg.instances));
|
||||
}) cfg.instances);
|
||||
})
|
||||
|
||||
# Inside container
|
||||
|
||||
Reference in New Issue
Block a user