Commit bbf4f81e6c33

Vincent Demeester <vincent@sbr.pm>
2025-12-10 17:17:59
feat(aomi): Add OpenShift SNO lab with port forwarding
- Enable external access to OpenShift cluster running in libvirt VM - Forward HTTPS and Kubernetes API traffic from host to VM network - Provide DNS resolution for lab.ocp4.home cluster endpoints - Replace obsolete multi-node OpenShift DNS with SNO configuration Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 55064cf
Changed files (3)
systems
aomi
extra.nix
openshift-port-forward.nix
common
services
dns
home.nix
systems/aomi/extra.nix
@@ -24,9 +24,13 @@
     # ../common/services/gitea-runner
 
     ../redhat
+
+    # OpenShift port forwarding
+    ./openshift-port-forward.nix
   ];
 
-  networking.firewall.enable = false;
+  # Firewall is enabled in openshift-port-forward.nix
+  # networking.firewall.enable = false;
 
   boot.supportedFilesystems = [ "nfs" ];
systems/aomi/openshift-port-forward.nix
@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  # Enable IP forwarding for libvirt network
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
+  networking.firewall = {
+    enable = true;
+
+    # Open ports that will be forwarded to OpenShift
+    allowedTCPPorts = [
+      443 # HTTPS - OpenShift console and apps
+      6443 # Kubernetes API
+    ];
+
+    # NAT rules to forward traffic to OpenShift VM
+    extraCommands = ''
+      # Get the primary home network interface
+      HOME_IFACE=$(ip route | grep default | awk '{print $5}' | head -1)
+
+      # Forward HTTPS traffic (443) to OpenShift
+      iptables -t nat -A PREROUTING -i $HOME_IFACE -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443
+
+      # Forward Kubernetes API (6443) to OpenShift
+      iptables -t nat -A PREROUTING -i $HOME_IFACE -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443
+
+      # Enable masquerading for libvirt network to access internet
+      iptables -t nat -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
+
+      # Allow forwarding between interfaces
+      iptables -A FORWARD -i $HOME_IFACE -o virbr1 -j ACCEPT
+      iptables -A FORWARD -i virbr1 -o $HOME_IFACE -j ACCEPT
+    '';
+
+    extraStopCommands = ''
+      HOME_IFACE=$(ip route | grep default | awk '{print $5}' | head -1)
+
+      # Clean up forwarding rules
+      iptables -t nat -D PREROUTING -i $HOME_IFACE -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443 2>/dev/null || true
+      iptables -t nat -D PREROUTING -i $HOME_IFACE -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443 2>/dev/null || true
+      iptables -t nat -D POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE 2>/dev/null || true
+    '';
+  };
+}
systems/common/services/dns/home.nix
@@ -66,70 +66,22 @@ in
     remakrable.A = [ "192.168.1.57" ];
     hass.A = [ "192.168.1.181" ];
 
-    #   # OpenShift infrastructure
-    #   vm0.A = [ "192.168.1.120" ];
-    #   vm1.A = [ "192.168.1.121" ];
-    #   vm2.A = [ "192.168.1.122" ];
-    #   vm3.A = [ "192.168.1.123" ];
-    #   vm4.A = [ "192.168.1.124" ];
-    #   vm5.A = [ "192.168.1.125" ];
-    #   vm6.A = [ "192.168.1.126" ];
-    #   vm7.A = [ "192.168.1.127" ];
-    #   vm8.A = [ "192.168.1.128" ];
-    #   vm9.A = [ "192.168.1.129" ];
-    #
-    #   ocp = {
-    #     subdomains = {
-    #       api.A = [ "192.168.1.120" ];
-    #       api-int.A = [ "192.168.1.120" ];
-    #       apps.subdomains."*".A = [ "192.168.1.120" ];
-    #       master0.A = [ "192.168.1.121" ];
-    #       master1.A = [ "192.168.1.122" ];
-    #       master3.A = [ "192.168.1.123" ];
-    #       worker1.A = [ "192.168.1.124" ];
-    #       worker2.A = [ "192.168.1.125" ];
-    #       worker3.A = [ "192.168.1.126" ];
-    #       worker4.A = [ "192.168.1.127" ];
-    #       worker5.A = [ "192.168.1.128" ];
-    #       bootstrap.A = [ "192.168.1.129" ];
-    #       etcd-0.A = [ "192.168.1.121" ];
-    #       etcd-1.A = [ "192.168.1.122" ];
-    #       etcd-2.A = [ "192.168.1.123" ];
-    #     };
-    #     SRV = [
-    #       {
-    #         service = "etcd-server-ssl";
-    #         proto = "tcp";
-    #         priority = 0;
-    #         weight = 10;
-    #         port = 2380;
-    #         target = "etcd-0.ocp.home.";
-    #       }
-    #       {
-    #         service = "etcd-server-ssl";
-    #         proto = "tcp";
-    #         priority = 0;
-    #         weight = 10;
-    #         port = 2380;
-    #         target = "etcd-1.ocp.home.";
-    #       }
-    #       {
-    #         service = "etcd-server-ssl";
-    #         proto = "tcp";
-    #         priority = 0;
-    #         weight = 10;
-    #         port = 2380;
-    #         target = "etcd-2.ocp.home.";
-    #       }
-    #     ];
-    #   };
-    #
-    #   # k8s nodes
-    #   ubnt1.A = [ "192.168.1.130" ];
-    #   ubnt2.A = [ "192.168.1.131" ];
-    #   k8sn1.A = [ "192.168.1.130" ];
-    #   k8sn2.A = [ "192.168.1.131" ];
-    #   k8sn3.A = [ "192.168.1.132" ];
+    # OpenShift SNO lab
+    lab = {
+      subdomains = {
+        # OCP4 SNO cluster
+        ocp4 = {
+          subdomains = {
+            # Point to aomi (host) which will forward to the VM
+            api.A = [ "192.168.1.23" ];
+            api-int.A = [ "192.168.1.23" ];
+            apps.subdomains."*".A = [ "192.168.1.23" ];
+            # Direct VM access for internal use
+            master-sno.A = [ "192.168.100.7" ];
+          };
+        };
+      };
+    };
   }
   // mkHomeMachineRecords;
 }