Commit a44b612c8f59
Changed files (3)
systems
common
services
systems/aomi/extra.nix
@@ -32,6 +32,14 @@
# Firewall is enabled in openshift-port-forward.nix
# networking.firewall.enable = false;
+ # OpenShift SNO endpoints
+ networking.extraHosts = ''
+ 192.168.100.7 api.ocp4.lab.home
+ 192.168.100.7 api-int.ocp4.lab.home
+ 192.168.100.7 console-openshift-console.apps.ocp4.lab.home
+ 192.168.100.7 oauth-openshift.apps.ocp4.lab.home
+ '';
+
# TODO make it an option ? (otherwise I'll add it for all)
users.users.vincent.linger = true;
systems/aomi/openshift-port-forward.nix
@@ -12,84 +12,92 @@
nftables = {
enable = true;
- # Complete nftables ruleset managing both NAT and filtering
- ruleset = ''
- # NAT table for port forwarding
- table ip nat {
- chain prerouting {
- type nat hook prerouting priority dstnat; policy accept;
+ # IMPORTANT: Using tables instead of ruleset to allow libvirt to manage its own table
+ # If we use ruleset, it completely replaces everything and libvirt can't create its table
+ tables = {
+ "nat" = {
+ family = "ip";
+ content = ''
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
- # Forward HTTP, HTTPS, and API traffic to OpenShift VM
- # Only from interfaces that are NOT virbr1 (to avoid loops)
- iifname != "virbr1" tcp dport 80 dnat to 192.168.100.7:80
- iifname != "virbr1" tcp dport 443 dnat to 192.168.100.7:443
- iifname != "virbr1" tcp dport 6443 dnat to 192.168.100.7:6443
- }
+ # Forward HTTP, HTTPS, and API traffic to OpenShift VM
+ # Only from interfaces that are NOT virbr1 (to avoid loops)
+ iifname != "virbr1" tcp dport 80 dnat to 192.168.100.7:80
+ iifname != "virbr1" tcp dport 443 dnat to 192.168.100.7:443
+ iifname != "virbr1" tcp dport 6443 dnat to 192.168.100.7:6443
+ }
- chain postrouting {
- type nat hook postrouting priority srcnat; policy accept;
+ chain postrouting {
+ type nat hook postrouting priority srcnat; policy accept;
- # Masquerade traffic from libvirt network to external destinations
- ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 masquerade
- }
+ # Masquerade traffic from libvirt network to external destinations
+ ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 masquerade
+ }
- chain output {
- type nat hook output priority dstnat; policy accept;
+ chain output {
+ type nat hook output priority dstnat; policy accept;
- # Forward localhost traffic destined for LAN IP to OpenShift VM
- ip daddr 192.168.1.23 tcp dport 80 dnat to 192.168.100.7:80
- ip daddr 192.168.1.23 tcp dport 443 dnat to 192.168.100.7:443
- ip daddr 192.168.1.23 tcp dport 6443 dnat to 192.168.100.7:6443
- }
- }
+ # Forward localhost traffic destined for LAN IP to OpenShift VM
+ ip daddr 192.168.1.23 tcp dport 80 dnat to 192.168.100.7:80
+ ip daddr 192.168.1.23 tcp dport 443 dnat to 192.168.100.7:443
+ ip daddr 192.168.1.23 tcp dport 6443 dnat to 192.168.100.7:6443
+ }
+ '';
+ };
+ "filter" = {
+ family = "inet";
+ content = ''
+ chain input {
+ type filter hook input priority filter; policy drop;
- # Filter table for firewall rules
- table inet filter {
- chain input {
- type filter hook input priority filter; policy drop;
+ # Allow established/related connections
+ ct state { established, related } accept
- # Allow established/related connections
- ct state { established, related } accept
+ # Allow loopback
+ iifname "lo" accept
- # Allow loopback
- iifname "lo" accept
+ # Allow trusted interfaces
+ iifname { "wg0", "docker0" } accept
- # Allow trusted interfaces
- iifname { "wg0", "docker0" } accept
+ # Allow ICMP (ping)
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
- # Allow ICMP (ping)
- ip protocol icmp accept
- ip6 nexthdr ipv6-icmp accept
+ # Allow SSH
+ tcp dport 22 accept
- # Allow SSH
- tcp dport 22 accept
+ # Allow OpenShift ports
+ tcp dport { 80, 443, 6443 } accept
- # Allow OpenShift ports
- tcp dport { 80, 443, 6443 } accept
+ # Allow libvirt
+ tcp dport 16509 accept
- # Allow libvirt
- tcp dport 16509 accept
+ # Allow mDNS
+ udp dport 5353 accept
+ }
- # Allow mDNS
- udp dport 5353 accept
- }
+ chain forward {
+ type filter hook forward priority filter; policy accept;
- chain forward {
- type filter hook forward priority filter; policy accept;
+ # Allow established/related connections
+ ct state { established, related } accept
- # Allow established/related connections
- ct state { established, related } accept
+ # Allow forwarding to/from the libvirt OpenShift network
+ ip daddr 192.168.100.0/24 accept
+ ip saddr 192.168.100.0/24 accept
+ }
- # Allow forwarding to/from the libvirt OpenShift network
- ip daddr 192.168.100.0/24 accept
- ip saddr 192.168.100.0/24 accept
- }
+ chain output {
+ type filter hook output priority filter; policy accept;
+ }
+ '';
+ };
+ };
- chain output {
- type filter hook output priority filter; policy accept;
- }
- }
- '';
+ # Old ruleset approach - completely removed
+ # Using ruleset would prevent libvirt from managing its own table
+ # See tables configuration above instead
};
# Disable the default NixOS firewall since we're using custom nftables ruleset
systems/common/services/libvirt.nix
@@ -8,6 +8,7 @@
virtualisation.libvirtd = {
enable = true;
allowedBridges = [ "br1" ]; # Could be different dependinng on the host ?
+ firewallBackend = "nftables";
extraConfig = ''
listen_tls = 0
listen_tcp = 1