lib/constants.nix

@@ -111,7 +111,7 @@ rec {
   };
 
   pubDomain = "nul.ie";
-  colony = rec {
+  colony = {
     domain = "ams1.int.${pubDomain}";
     pubV4 = "94.142.240.44";
     prefixes = with lib.my.net.cidr; rec {
@@ -148,10 +148,6 @@ rec {
         v4 = "94.142.242.255/32";
         v6 = subnet 8 1 cust.v6;
       };
-      jam = {
-        v4 = subnet 8 4 cust.v4;
-        v6 = subnet 8 2 cust.v6;
-      };
 
       vip1 = "94.142.241.224/30";
       vip2 = "94.142.242.254/31";
@@ -164,12 +160,6 @@ rec {
       home.v6 = "2a0e:97c0:4d0::/48";
     };
 
-    custRouting = with lib.my.net.cidr; {
-      mail-vm = host 1 prefixes.cust.v4;
-      darts-vm = host 2 prefixes.cust.v4;
-      jam-ctr = host 3 prefixes.cust.v4;
-    };
-
     firewallForwards = aa: [
       {
         port = "http";
@@ -183,7 +173,6 @@ rec {
         port = 8448;
         dst = aa.middleman.internal.ipv4.address;
       }
-
       {
         port = 25565;
         dst = aa.simpcraft-oci.internal.ipv4.address;
@@ -192,7 +181,6 @@ rec {
         port = 25566;
         dst = aa.simpcraft-staging-oci.internal.ipv4.address;
       }
-
       {
         port = 25575;
         dst = aa.simpcraft-oci.internal.ipv4.address;

nixos/boxes/colony/default.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 let
   inherit (lib.my) net;
-  inherit (lib.my.c.colony) domain prefixes custRouting firewallForwards;
+  inherit (lib.my.c.colony) domain prefixes firewallForwards;
 in
 {
   imports = [ ./vms ];
@@ -276,10 +276,6 @@ in
                       Destination = lib.my.c.tailscale.prefix.v6;
                       Gateway = allAssignments.shill.internal.ipv6.address;
                     }
-                    {
-                      Destination = prefixes.jam.v6;
-                      Gateway = allAssignments.shill.internal.ipv6.address;
-                    }
 
                     {
                       Destination = prefixes.oci.v4;
@@ -311,7 +307,7 @@ in
               "90-vm-mail" = {
                 matchConfig.Name = "vm-mail";
                 address = [
-                  "${custRouting.mail-vm}/32"
+                  (net.cidr.subnet 8 1 prefixes.cust.v4)
                   prefixes.mail.v6
                 ];
                 networkConfig = {
@@ -334,7 +330,7 @@ in
               "90-vm-darts" = {
                 matchConfig.Name = "vm-darts";
                 address = [
-                  "${custRouting.darts-vm}/32"
+                  (net.cidr.subnet 8 2 prefixes.cust.v4)
                   prefixes.darts.v6
                 ];
                 networkConfig = {

nixos/boxes/colony/vms/default.nix

@@ -131,7 +131,6 @@
               (vm.lvmDisk "media")
               (vm.lvmDisk "minio")
               (vm.lvmDisk "nix-atticd")
-              (vm.lvmDisk "jam")
             ]);
           };
 

nixos/boxes/colony/vms/estuary/default.nix

@@ -394,9 +394,6 @@ in
                       # Safe enough to allow all SSH
                       tcp dport ssh accept
 
-                      # jam-ctr forwards
-                      ip daddr ${aa.shill.internal.ipv4.address} tcp dport 60022 accept
-
                       ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
                       ${matchInet "tcp dport { http, https } accept" "git"}
                       ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept

nixos/boxes/colony/vms/estuary/dns.nix

@@ -2,7 +2,7 @@
 let
   inherit (builtins) attrNames;
   inherit (lib.my) net;
-  inherit (lib.my.c.colony) prefixes custRouting;
+  inherit (lib.my.c.colony) prefixes;
 
   authZones = attrNames config.my.pdns.auth.bind.zones;
 in
@@ -162,10 +162,6 @@ in
 
             andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
 
-            jam-cust IN A ${net.cidr.host 0 prefixes.jam.v4}
-            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
-            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
-
             $TTL 3
             _acme-challenge IN LUA TXT @@FILE@@
 

nixos/boxes/colony/vms/shill/containers-ext.nix

@@ -1,105 +0,0 @@
-{ lib, pkgs, assignments, ... }:
-let
-  inherit (lib.my) net;
-  inherit (lib.my.c.colony) prefixes custRouting;
-in
-{
-  fileSystems = {
-    "/mnt/jam" = {
-      device = "/dev/disk/by-label/jam";
-      fsType = "ext4";
-    };
-
-    "/var/lib/machines/jam" = {
-      device = "/mnt/jam";
-      options = [ "bind" ];
-    };
-  };
-
-  systemd = {
-    nspawn = {
-      jam = {
-        enable = true;
-        execConfig = {
-          Boot = true;
-          PrivateUsers = "pick";
-          LinkJournal = false;
-        };
-        networkConfig = {
-          Private = true;
-          VirtualEthernet = true;
-        };
-      };
-    };
-    network.networks = {
-      "50-ve-jam" = {
-        matchConfig = {
-          Kind = "veth";
-          Name = "ve-jam";
-        };
-        address = [
-          custRouting.jam-ctr
-          prefixes.jam.v6
-        ];
-        networkConfig = {
-          IPv6AcceptRA = false;
-          IPv6SendRA = true;
-        };
-        ipv6Prefixes = [
-          {
-            ipv6PrefixConfig.Prefix = prefixes.jam.v6;
-          }
-        ];
-        routes = map (r: { routeConfig = r; }) [
-          {
-            Destination = prefixes.jam.v4;
-            Scope = "link";
-          }
-        ];
-      };
-    };
-    services = {
-      "systemd-nspawn@jam" = {
-        overrideStrategy = "asDropin";
-
-        serviceConfig = {
-          CPUQuota = "400%";
-          MemoryHigh = "4G";
-          MemoryMax = "4.5G";
-        };
-
-        wantedBy = [ "machines.target" ];
-      };
-    };
-  };
-
-  my = {
-    firewall =
-    let
-      jamIP = net.cidr.host 0 prefixes.jam.v4;
-    in
-    {
-      nat.forwardPorts."${assignments.internal.ipv4.address}" = [
-        {
-          port = 60022;
-          dst = jamIP;
-          dstPort = "ssh";
-        }
-      ];
-      extraRules = ''
-        table inet filter {
-          chain forward {
-            iifname { ve-jam } oifname vms accept
-            iifname vms oifname { ve-jam } accept
-          }
-        }
-
-        table inet nat {
-          chain postrouting {
-            ip saddr ${jamIP} snat to ${assignments.internal.ipv4.address}
-          }
-        }
-      '';
-    };
-  };
-}

nixos/boxes/colony/vms/shill/default.nix

@@ -49,11 +49,7 @@ in
         inherit (lib.my) networkdAssignment;
       in
       {
-        imports = [
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
-          "${modulesPath}/profiles/qemu-guest.nix"
-
-          ./containers-ext.nix
-        ];
 
         config = mkMerge [
           {

nixos/modules/containers.nix

@@ -123,7 +123,18 @@ in
           (n: _: "ve-${n}")
           (filterAttrs (_: c: c.networking.bridge == null) cfg.instances);
 
-      systemd = mkMerge (mapAttrsToList (n: c: {
+      systemd = mkMerge ([
+        {
+          # By symlinking to the original systemd-nspawn@.service for every instance we force the unit generator to
+          # create overrides instead of replacing the unit entirely
+          packages = [
+            (pkgs.linkFarm "systemd-nspawn-containers" (map (n: {
+              name = "etc/systemd/system/systemd-nspawn@${n}.service";
+              path = "${pkgs.systemd}/example/systemd/system/systemd-nspawn@.service";
+            }) (attrNames cfg.instances)))
+          ];
+        }
+      ] ++ (mapAttrsToList (n: c: {
         nspawn."${n}" = {
           execConfig = {
             Boot = true;
@@ -171,9 +182,6 @@ in
             c.containerSystem;
         in
         {
-          # To prevent creating a whole new unit file
-          overrideStrategy = "asDropin";
-
           environment = {
             # systemd.nspawn units can't set the root directory directly, but /run/machines/${n} is one of the search paths
             root = "/run/machines/${n}";
@@ -239,7 +247,7 @@ in
             Bridge = c.networking.bridge;
           };
         };
-      }) cfg.instances);
+      }) cfg.instances));
     })
 
     # Inside container