server: remove microvm

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-26 10:06:13 +01:00 · 2024-06-26 23:19:41 +02:00 · 2024-06-26 23:19:41 +02:00 · 304b89bfe0
parent 3cc3e6c8d6
commit 304b89bfe0
2 changed files with 0 additions and 225 deletions
--- a/nixos/systems/blowhole/default.nix
+++ b/nixos/systems/blowhole/default.nix
@ -57,7 +57,6 @@ in {
          ./disk_monitoring.nix
          ./sol.nix
          ../../common/remote_access.nix
          ./microvms.nix
          ./ssh-machine-access.nix
          ../../modules/notify-login.nix
          ./uk3s.nix
--- a/nixos/systems/blowhole/microvms.nix
+++ b/nixos/systems/blowhole/microvms.nix
@ -1,224 +0,0 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
 {
  notnft,
  inputs',
  lib,
  config,
  ...
 }: let
  inherit
    (lib)
    mkBefore
    flip
    genAttrs
    ;
 in {
  networking.notnft = {
    enable = true;
    flush = false;
  };
  networking.notnft.preRules = [
    {
      add.table = {
        family = "bridge";
        name = "bridge-t";
      };
    }
    {
      flush.table = {
        family = "bridge";
        name = "bridge-t";
      };
    }
  ];
  networking.notnft.rules = let
    interfaces = ["mvm-test" "mvm0"];
    logRule = with notnft.dsl;
    with payload;
      prefix: [
        (log {
          prefix = "${prefix} dropped:  ";
          flags = f: [f.all];
        })
      ];
    dropRule = with notnft.dsl; with payload; [drop];
  in
    with notnft.dsl;
    with payload;
      ruleset {
        bridge-t = add table {family = f: f.bridge;} {
          input-body = add chain;
          input-mvm =
            add chain
            [
              (vmap ct.state {
                established = accept;
                related = accept;
                invalid = drop;
              })
            ]
            [(is.eq meta.protocol (f: f.arp)) accept]
            [(mangle meta.nftrace 1)]
            [(jump "input-body")]
            (logRule "Bridge input")
            dropRule;
          input =
            add chain
            {
              type = f: f.filter;
              hook = f: f.input;
              prio = 0;
              policy = f: f.accept;
            }
            [(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
            [(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
          output-body = add chain;
          output-mvm =
            add chain
            [(is.eq ether.type (f: f.arp)) accept]
            [(mangle meta.nftrace 1)]
            [(jump "output-body")]
            (logRule "Bridge output")
            dropRule;
          output =
            add chain
            {
              type = f: f.filter;
              hook = f: f.output;
              prio = 0;
              policy = f: f.accept;
            }
            [(vmap meta.iifname (genAttrs interfaces (_: (goto "output-mvm"))))]
            [(vmap meta.oifname (genAttrs interfaces (_: (goto "output-mvm"))))];
          forward-body = add chain;
          forward-mvm =
            add chain
            [(mangle meta.nftrace 1)]
            [(jump "forward-body")]
            (logRule "Bridge forward")
            dropRule;
          forward =
            add chain
            {
              type = f: f.filter;
              hook = f: f.forward;
              prio = 0;
              policy = f: f.accept;
            }
            [(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
            [(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
          # prerouting = add chain
          #   { type = f: f.filter; hook = f: f.prerouting; prio = -300; policy = f: f.accept; }
          # ;
          # postrouting = add chain
          #   { type = f: f.filter; hook = f: f.postrouting; prio = -300; policy = f: f.accept; }
          # ;
        };
      };
  systemd.services.notnftables = {
    requires = ["nftables.service"];
    after = ["nftables.service"];
  };
  networking.bridges.mvm0 = {
    interfaces = [];
  };
  networking.interfaces.mvm0 = {
    useDHCP = false;
    ipv4.addresses = [
      {
        address = "10.80.1.1";
        prefixLength = 24;
      }
    ];
  };
  microvm.services.tcpUdp.test-ssh = {
    hostName = "test";
    port = 22;
    protocol = ["tcp"];
  };
  microvm.services.tcpUdp.test-http = {
    hostName = "test";
    port = 80;
    protocol = ["tcp"];
  };
  microvm.services.icmp.test = {
    hostName = "test";
  };
  microvm.connections.tcpUdp = [
    {
      target = "test-ssh";
    }
    {
      target = "test-http";
    }
  ];
  microvm.connections.icmp = [
    {
      target = "test";
    }
  ];
  microvm.vms = {
    test.config = {
      imports = [inputs'.self.nixosModules.microvm-extras];
      microvm = {
        hostName = "test";
        hostsHostName = "omen";
        groupId = 1;
        taskId = 2;
      };
      microvm.hypervisor = "cloud-hypervisor";
      microvm.shares = [
        {
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
          tag = "ro-store";
          proto = "virtiofs";
        }
      ];
      microvm.storeOnDisk = false;
      networking.firewall.allowedTCPPorts = [80 22];
      services.nginx = {
        enable = true;
        virtualHosts."example.com" = {
          root = "/var/www/blog";
        };
      };
      users.users.root.password = "";
      services.getty.helpLine = ''
        Log in as "root" with an empty password.
      '';
      services.openssh = {
        enable = true;
        settings.PermitRootLogin = "yes";
      };
    };
  };
 }