71 lines
2.3 KiB
Bash
71 lines
2.3 KiB
Bash
#!/bin/bash
|
|
# Sandbox host initialization.
|
|
# Idempotent: safe to run multiple times.
|
|
#
|
|
# Prereqs (must already be on VPS):
|
|
# - Incus >= 6.0
|
|
# - btrfs-progs
|
|
# - netfilter-persistent + iptables-persistent
|
|
#
|
|
# Creates:
|
|
# - btrfs storage pool: lobe-sandbox-pool (200GiB file-backed)
|
|
# - Incus project: lobe-sandbox (shares networks from default)
|
|
# - Incus profile: sandbox-default (2GB RAM / 2 CPU / 10GiB disk)
|
|
# - iptables rules: ACCEPT DHCP/DNS/FORWARD on incusbr0
|
|
# (workaround for UFW dropping incusbr0 broadcast)
|
|
|
|
set -euo pipefail
|
|
|
|
POOL="lobe-sandbox-pool"
|
|
POOL_SIZE="200GiB"
|
|
PROJECT="lobe-sandbox"
|
|
PROFILE="sandbox-default"
|
|
NETWORK="incusbr0"
|
|
|
|
log() { echo "==> $*"; }
|
|
|
|
log "1/4 btrfs storage pool"
|
|
if ! incus storage list --format csv | cut -d, -f1 | grep -qx "$POOL"; then
|
|
incus storage create "$POOL" btrfs size="$POOL_SIZE"
|
|
else
|
|
echo " (exists)"
|
|
fi
|
|
|
|
log "2/4 Incus project"
|
|
if ! incus project list --format csv | cut -d, -f1 | grep -qx "$PROJECT"; then
|
|
incus project create "$PROJECT" -c features.networks=false
|
|
else
|
|
echo " (exists)"
|
|
fi
|
|
|
|
log "3/4 Sandbox profile"
|
|
if ! incus profile list --project "$PROJECT" --format csv | cut -d, -f1 | grep -qx "$PROFILE"; then
|
|
incus profile create "$PROFILE" --project "$PROJECT"
|
|
incus profile set "$PROFILE" --project "$PROJECT" \
|
|
limits.memory=2GiB \
|
|
limits.cpu=2 \
|
|
security.nesting=false \
|
|
security.privileged=false
|
|
incus profile device add "$PROFILE" root disk path=/ pool="$POOL" size=10GiB --project "$PROJECT"
|
|
incus profile device add "$PROFILE" eth0 nic network="$NETWORK" --project "$PROJECT"
|
|
else
|
|
echo " (exists)"
|
|
fi
|
|
|
|
log "4/4 iptables rules for incusbr0 (UFW drops incus DHCP/DNS by default)"
|
|
add_rule() {
|
|
# $1 = chain, $2... = rule args
|
|
local chain="$1"; shift
|
|
if ! iptables -C "$chain" "$@" 2>/dev/null; then
|
|
iptables -I "$chain" "$@"
|
|
fi
|
|
}
|
|
add_rule INPUT -i "$NETWORK" -p udp --dport 67 -j ACCEPT -m comment --comment "incus-dhcp"
|
|
add_rule INPUT -i "$NETWORK" -p udp --dport 53 -j ACCEPT -m comment --comment "incus-dns"
|
|
add_rule INPUT -i "$NETWORK" -p tcp --dport 53 -j ACCEPT -m comment --comment "incus-dns-tcp"
|
|
add_rule FORWARD -i "$NETWORK" -j ACCEPT -m comment --comment "incus-fwd-in"
|
|
add_rule FORWARD -o "$NETWORK" -j ACCEPT -m comment --comment "incus-fwd-out"
|
|
netfilter-persistent save >/dev/null
|
|
|
|
log "DONE"
|