1.0.0 Release IaaS

data/vmm_init/grub.d/iommu.cfg

@@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"

data/vmm_init/modprobe.d/vfio.conf

@@ -0,0 +1,3 @@
+options vfio-pci ids=8086:46d4,1b21:1064
+softdep i915 pre: vfio-pci
+softdep ahci pre: vfio-pci

data/vmm_init/network/00-vmm-eth0.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress=c8:ff:bf:05:aa:b0
+
+[Link]
+Name=eth0

data/vmm_init/network/01-vmm-eth1.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress=c8:ff:bf:05:aa:b1
+
+[Link]
+Name=eth1

data/vmm_init/network/10-vmm-br0.netdev

@@ -0,0 +1,3 @@
+[NetDev]
+Name=br0
+Kind=bridge

data/vmm_init/network/11-vmm-br1.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=br1
+Kind=bridge
+
+[Bridge]
+VLANFiltering=true
+DefaultPVID=1

data/vmm_init/network/12-vmm-vlan1.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan1
+Kind=vlan
+
+[VLAN]
+Id=1

data/vmm_init/network/13-vmm-vlan10.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan10
+Kind=vlan
+
+[VLAN]
+Id=10

data/vmm_init/network/14-vmm-vlan20.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan20
+Kind=vlan
+
+[VLAN]
+Id=20

data/vmm_init/network/20-vmm-eth0.network

@@ -0,0 +1,6 @@
+[Match]
+Name=eth0
+
+[Network]
+Bridge=br0
+LinkLocalAddressing=false

data/vmm_init/network/21-vmm-eth1.network

@@ -0,0 +1,15 @@
+[Match]
+Name=eth1
+
+[Network]
+Bridge=br1
+LinkLocalAddressing=false
+
+[BridgeVLAN]
+VLAN=1
+PVID=true
+EgressUntagged=true
+
+[BridgeVLAN]
+VLAN=10
+VLAN=20

data/vmm_init/network/22-vmm-br0.network

@@ -0,0 +1,5 @@
+[Match]
+Name=br0
+
+[Network]
+LinkLocalAddressing=false

data/vmm_init/network/23-vmm-br1.network

@@ -0,0 +1,17 @@
+[Match]
+Name=br1
+
+[Network]
+VLAN=vlan1
+VLAN=vlan10
+VLAN=vlan20
+LinkLocalAddressing=false
+
+[BridgeVLAN]
+VLAN=1
+PVID=yes
+EgressUntagged=true
+
+[BridgeVLAN]
+VLAN=10
+VLAN=20

data/vmm_init/network/24-vmm-vlan1.network

@@ -0,0 +1,28 @@
+[Match]
+Name=vlan1
+
+[Network]
+# IPv4
+Address=192.168.1.10/24
+# IPv6
+Address=fd00:1::10/64
+
+[RoutingPolicyRule]
+From=192.168.1.10/32
+Table=1
+Priority=100
+
+[Route]
+Destination=192.168.1.0/24
+Scope=link
+Table=1
+
+[RoutingPolicyRule]
+From=fd00:1::10/128
+Table=61
+Priority=100
+
+[Route]
+Destination=fd00:1::/64
+Scope=link
+Table=61

data/vmm_init/network/25-vmm-vlan10.network

@@ -0,0 +1,32 @@
+[Match]
+Name=vlan10
+[Network]
+RequiredForOnline=false
+# IPv4
+Address=192.168.10.10/24
+Gateway=192.168.10.1
+DNS=192.168.10.2
+# IPv6
+Address=fd00:10::10/64
+Gateway=fd00:10::1
+DNS=fd00:10::2
+
+[RoutingPolicyRule]
+From=192.168.10.10/32
+Table=2
+Priority=100
+
+[Route]
+Destination=0.0.0.0/0
+Gateway=192.168.10.1
+Table=2
+
+[RoutingPolicyRule]
+From=fd00:10::10/128
+Table=62
+Priority=100
+
+[Route]
+Destination=::/0
+Gateway=fd00:10::1
+Table=62

data/vmm_init/nftables.conf

@@ -0,0 +1,25 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define HOSTS4_CONSOLE = { 192.168.1.20, 192.168.99.20 }
+define HOSTS6_CONSOLE = { fd00:1::20, fd00:99::20 }
+define PORTS_SSH = 22
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "deny invalid connection"
+        ct state established, related accept comment "allow all connection already existing"
+        iifname "lo" accept comment "allow local connection"
+        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection: > VMM"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > VMM"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > VMM"
+    }
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}

data/vmm_init/ssh/local_ssh_ca.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtBbAyORSd3qece5jHnEFrJPR7QxIzeIUsTEYoBLMKd LOCAL_SSH_CA

data/vmm_init/ssh/sshd_config.d/prohibit_root.conf

@@ -0,0 +1 @@
+PermitRootLogin no

data/vmm_init/ssh/sshd_config.d/ssh_ca.conf

@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/local_ssh_ca.pub

data/vmm_init/sysctl.d/bridge.conf

@@ -0,0 +1,3 @@
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0