NationTech/harmony
5
0
Fork 2
Code Issues 40 Pull Requests 12 Actions 3 Packages Projects Releases Wiki Activity
Files
feat/iot-walking-skeleton
harmony/examples/opnsense_pair_integration
History
Jean-Gabriel Gill-Couture 65ef540b97
Some checks are pending
Run Check Script / check (pull_request) Waiting to run
Details
feat: scaffold IoT walking skeleton — podman module, operator, and agent 
- Add PodmanV0Score/IotScore (adjacent-tagged serde) and PodmanV0Interpret stub
- Gate virt behind kvm feature and podman-api behind podman feature
- Scaffold iot-operator-v0 (kube-rs operator stub) and iot-agent-v0 (NATS KV watch)
- Add PodmanV0 to InterpretName enum
- Fix aarch64 cross-compilation by making kvm/podman optional features
- Align async-nats across workspace, add workspace deps for tracing/toml/tracing-subscriber
- Remove unused deps (serde_yaml from agent, schemars from operator)
- Add Send+Sync to CredentialSource, fix &PathBuf → &Path, remove dead_code allow
- Update 5 KVM example Cargo.tomls with explicit features = ["kvm"]
2026-04-17 20:15:10 -04:00
..
src
fix: haproxy listens on 0.0.0.0 and opens wan in the firewall for okd deployment, also disables http redirect rule for opnsense webgui which stole haproxy traffic
2026-04-01 22:31:54 -04:00
Cargo.toml
feat: scaffold IoT walking skeleton — podman module, operator, and agent
2026-04-17 20:15:10 -04:00
README.md
docs: fix pair integration subnet in diagram, add to examples index
2026-03-31 12:29:35 -04:00

README.md

OPNsense Firewall Pair Integration Example

Boots two OPNsense VMs, bootstraps both with automated SSH/API setup, then configures a CARP HA firewall pair using FirewallPairTopology and CarpVipScore. Fully automated, CI-friendly.

Quick start

# Prerequisites (same as single-VM example)
./examples/opnsense_vm_integration/setup-libvirt.sh

# Boot + bootstrap + pair test (fully unattended)
cargo run -p opnsense-pair-integration -- --full

What it does

  1. Creates a shared LAN network + 2 OPNsense VMs (2 NICs each: LAN + WAN)
  2. Bootstraps both VMs sequentially using NIC link control to avoid IP conflicts:
    • Disables backup's LAN NIC
    • Bootstraps primary on .1 (login, SSH, webgui port 9443)
    • Changes primary's LAN IP from .1 to .2
    • Swaps NICs (disable primary, enable backup)
    • Bootstraps backup on .1
    • Changes backup's LAN IP from .1 to .3
    • Re-enables all NICs
  3. Applies pair scores via FirewallPairTopology:
    • CarpVipScore — CARP VIP at .1 (primary advskew=0, backup advskew=100)
    • VlanScore — VLAN 100 on both
    • FirewallRuleScore — ICMP allow on both
  4. Verifies CARP VIPs and VLANs via REST API on both firewalls

Network topology

Host (192.168.1.10)
 |
 +--- virbr-pair (192.168.1.0/24, NAT)
 |         |              |
 |    fw-primary       fw-backup
 |    vtnet0=.2        vtnet0=.3
 |    (CARP VIP: .1)
 |
 +--- virbr0 (default, DHCP)
           |              |
      fw-primary       fw-backup
      vtnet1=dhcp      vtnet1=dhcp (WAN)

Both VMs boot with OPNsense's default LAN IP of 192.168.1.1. The NIC juggling sequence ensures only one VM has its LAN NIC active at a time during bootstrap, avoiding address conflicts.

Requirements

Same as the single-VM example: Linux with KVM, libvirt, ~20 GB disk space, ~20 minutes first run.

Commands

Command Description
--check Verify prerequisites
--boot Boot + bootstrap both VMs
(default) Run pair integration test
--full Boot + bootstrap + test (CI mode)
--status Show both VMs' status
--clean Destroy both VMs and networks