mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-29 11:36:16 +01:00
server: remove microvm
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
parent
3cc3e6c8d6
commit
304b89bfe0
|
@ -57,7 +57,6 @@ in {
|
|||
./disk_monitoring.nix
|
||||
./sol.nix
|
||||
../../common/remote_access.nix
|
||||
./microvms.nix
|
||||
./ssh-machine-access.nix
|
||||
../../modules/notify-login.nix
|
||||
./uk3s.nix
|
||||
|
|
|
@ -1,224 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
|
||||
#
|
||||
# SPDX-License-Identifier: LGPL-3.0-or-later
|
||||
{
|
||||
notnft,
|
||||
inputs',
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(lib)
|
||||
mkBefore
|
||||
flip
|
||||
genAttrs
|
||||
;
|
||||
in {
|
||||
networking.notnft = {
|
||||
enable = true;
|
||||
flush = false;
|
||||
};
|
||||
|
||||
networking.notnft.preRules = [
|
||||
{
|
||||
add.table = {
|
||||
family = "bridge";
|
||||
name = "bridge-t";
|
||||
};
|
||||
}
|
||||
{
|
||||
flush.table = {
|
||||
family = "bridge";
|
||||
name = "bridge-t";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
networking.notnft.rules = let
|
||||
interfaces = ["mvm-test" "mvm0"];
|
||||
logRule = with notnft.dsl;
|
||||
with payload;
|
||||
prefix: [
|
||||
(log {
|
||||
prefix = "${prefix} dropped: ";
|
||||
flags = f: [f.all];
|
||||
})
|
||||
];
|
||||
|
||||
dropRule = with notnft.dsl; with payload; [drop];
|
||||
in
|
||||
with notnft.dsl;
|
||||
with payload;
|
||||
ruleset {
|
||||
bridge-t = add table {family = f: f.bridge;} {
|
||||
input-body = add chain;
|
||||
|
||||
input-mvm =
|
||||
add chain
|
||||
[
|
||||
(vmap ct.state {
|
||||
established = accept;
|
||||
related = accept;
|
||||
invalid = drop;
|
||||
})
|
||||
]
|
||||
[(is.eq meta.protocol (f: f.arp)) accept]
|
||||
[(mangle meta.nftrace 1)]
|
||||
[(jump "input-body")]
|
||||
(logRule "Bridge input")
|
||||
dropRule;
|
||||
|
||||
input =
|
||||
add chain
|
||||
{
|
||||
type = f: f.filter;
|
||||
hook = f: f.input;
|
||||
prio = 0;
|
||||
policy = f: f.accept;
|
||||
}
|
||||
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
|
||||
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
|
||||
|
||||
output-body = add chain;
|
||||
|
||||
output-mvm =
|
||||
add chain
|
||||
[(is.eq ether.type (f: f.arp)) accept]
|
||||
[(mangle meta.nftrace 1)]
|
||||
[(jump "output-body")]
|
||||
(logRule "Bridge output")
|
||||
dropRule;
|
||||
|
||||
output =
|
||||
add chain
|
||||
{
|
||||
type = f: f.filter;
|
||||
hook = f: f.output;
|
||||
prio = 0;
|
||||
policy = f: f.accept;
|
||||
}
|
||||
[(vmap meta.iifname (genAttrs interfaces (_: (goto "output-mvm"))))]
|
||||
[(vmap meta.oifname (genAttrs interfaces (_: (goto "output-mvm"))))];
|
||||
|
||||
forward-body = add chain;
|
||||
|
||||
forward-mvm =
|
||||
add chain
|
||||
[(mangle meta.nftrace 1)]
|
||||
[(jump "forward-body")]
|
||||
(logRule "Bridge forward")
|
||||
dropRule;
|
||||
|
||||
forward =
|
||||
add chain
|
||||
{
|
||||
type = f: f.filter;
|
||||
hook = f: f.forward;
|
||||
prio = 0;
|
||||
policy = f: f.accept;
|
||||
}
|
||||
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
|
||||
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
|
||||
|
||||
# prerouting = add chain
|
||||
# { type = f: f.filter; hook = f: f.prerouting; prio = -300; policy = f: f.accept; }
|
||||
# ;
|
||||
|
||||
# postrouting = add chain
|
||||
# { type = f: f.filter; hook = f: f.postrouting; prio = -300; policy = f: f.accept; }
|
||||
# ;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.notnftables = {
|
||||
requires = ["nftables.service"];
|
||||
after = ["nftables.service"];
|
||||
};
|
||||
|
||||
networking.bridges.mvm0 = {
|
||||
interfaces = [];
|
||||
};
|
||||
|
||||
networking.interfaces.mvm0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.80.1.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
microvm.services.tcpUdp.test-ssh = {
|
||||
hostName = "test";
|
||||
port = 22;
|
||||
protocol = ["tcp"];
|
||||
};
|
||||
|
||||
microvm.services.tcpUdp.test-http = {
|
||||
hostName = "test";
|
||||
port = 80;
|
||||
protocol = ["tcp"];
|
||||
};
|
||||
|
||||
microvm.services.icmp.test = {
|
||||
hostName = "test";
|
||||
};
|
||||
|
||||
microvm.connections.tcpUdp = [
|
||||
{
|
||||
target = "test-ssh";
|
||||
}
|
||||
{
|
||||
target = "test-http";
|
||||
}
|
||||
];
|
||||
microvm.connections.icmp = [
|
||||
{
|
||||
target = "test";
|
||||
}
|
||||
];
|
||||
|
||||
microvm.vms = {
|
||||
test.config = {
|
||||
imports = [inputs'.self.nixosModules.microvm-extras];
|
||||
|
||||
microvm = {
|
||||
hostName = "test";
|
||||
hostsHostName = "omen";
|
||||
groupId = 1;
|
||||
taskId = 2;
|
||||
};
|
||||
|
||||
microvm.hypervisor = "cloud-hypervisor";
|
||||
microvm.shares = [
|
||||
{
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
tag = "ro-store";
|
||||
proto = "virtiofs";
|
||||
}
|
||||
];
|
||||
microvm.storeOnDisk = false;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 22];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."example.com" = {
|
||||
root = "/var/www/blog";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.root.password = "";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
'';
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue