83 lines
2.9 KiB
Plaintext
83 lines
2.9 KiB
Plaintext
# See also:
|
|
# <https://github.com/Jip-Hop/jailmaker/tree/main/templates/router>
|
|
#
|
|
startup=0
|
|
gpu_passthrough_intel=0
|
|
gpu_passthrough_nvidia=0
|
|
# Turning off seccomp filtering improves performance at the expense of security
|
|
seccomp=1
|
|
|
|
# Use bridge networking to provide an isolated network namespace
|
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
|
# Ensure to change br0 to the HOST interface name you want to use
|
|
# and br1 to the SECONDARY interface name you want to prepare
|
|
# Substitute your own dnsmasq.d and TFTP dataset bindings
|
|
systemd_nspawn_user_args=--network-bridge=br0
|
|
--network-veth-extra=ve-router-1:vee-1
|
|
--resolv-conf=bind-host
|
|
--system-call-filter='add_key keyctl bpf'
|
|
--bind=/mnt/pool/subnet/dnsmasq.d:/etc/dnsmasq.d
|
|
--bind-ro=/mnt/pool/subnet/tftpboot:/tftp
|
|
|
|
# Script to run on the HOST before starting the jail
|
|
# Load kernel module and config kernel settings required for podman
|
|
pre_start_hook=#!/usr/bin/bash
|
|
set -euo pipefail
|
|
echo 'PRE_START_HOOK'
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
modprobe br_netfilter
|
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
|
modprobe iptable_nat
|
|
modprobe iptable_filter
|
|
|
|
# Script to run on the HOST after starting the jail
|
|
# For example to attach to multiple bridge interfaces
|
|
post_start_hook=#!/usr/bin/bash
|
|
set -euo pipefail
|
|
echo 'POST_START_HOOK'
|
|
ip link set dev ve-router-1 master br1
|
|
ip link set dev ve-router-1 up
|
|
#ip link set dev eth2 master br1
|
|
|
|
# Only used while creating the jail
|
|
distro=debian
|
|
release=bookworm
|
|
|
|
# Install and configure within the jail
|
|
initial_setup=#!/usr/bin/bash
|
|
set -euo pipefail
|
|
|
|
# Catch up on updates
|
|
apt-get update && apt-get full-upgrade -y
|
|
|
|
# Configure worker LAN interface with static IP
|
|
sh -c 'cat <<EOF > /etc/systemd/network/80-container-vee-1.network
|
|
[Match]
|
|
Virtualization=container
|
|
Name=vee-1
|
|
|
|
[Network]
|
|
DHCP=false
|
|
Address=10.3.14.202/24
|
|
EOF'
|
|
systemctl restart systemd-networkd.service
|
|
|
|
# Configure routing from LAN clients
|
|
apt-get install nftables -y
|
|
nft add table nat
|
|
nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
|
|
nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
|
|
nft add rule nat postrouting masquerade
|
|
mkdir -p /etc/nftables.d
|
|
nft list table nat >/etc/nftables.d/nat.conf
|
|
( echo ; echo 'include "/etc/nftables.d/*.conf"' ) >>/etc/nftables.conf
|
|
|
|
# Install dnsmasq alongside local resolver
|
|
sed -i -e 's/^#DNSStubListener=yes$/DNSStubListener=no/' /etc/systemd/resolved.conf
|
|
systemctl restart systemd-resolved.service
|
|
apt-get install dnsmasq -y
|
|
sed -i -e 's/^#DNS=$/DNS=127.0.0.1/' /etc/systemd/resolved.conf
|
|
systemctl restart systemd-resolved.service
|
|
systemctl restart dnsmasq.service
|