chore: remove microvm local wireguard if not needed

2025-10-11 07:10:39 +02:00 · 2023-06-21 01:35:41 +02:00 · 2023-06-21 01:35:41 +02:00 · 19acca7cba
commit 19acca7cba
parent 06d5d26dde
33 changed files with 56 additions and 188 deletions
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@ -12,7 +12,9 @@
 }: let
  inherit
    (lib)
+    any
    attrNames
+    attrValues
    concatStringsSep
    escapeShellArg
    filterAttrs
@ -173,7 +175,9 @@
          # would not come online if the private key wasn't rekeyed yet).
          # FIXME ideally this would be conditional at runtime if the
          # agenix activation had an error, but this is not trivial.
-          ${wgConfig}.linkConfig.RequiredForOnline = "no";
+          ${wgConfig} = mkIf vmCfg.localWireguard {
+            linkConfig.RequiredForOnline = "no";
+          };

          "10-${vmCfg.networking.mainLinkName}" = {
            matchConfig.MACAddress = mac;
@ -194,16 +198,18 @@
          };
        };

-        extra.wireguard."${nodeName}-local-vms" = {
-          server = {
-            host =
-              if config.networking.domain == null
-              then "${config.networking.hostName}.local"
-              else config.networking.fqdn;
-            inherit (cfg.networking.wireguard) port;
-            openFirewallRules = ["untrusted-to-local"];
+        extra.wireguard = mkIf vmCfg.localWireguard {
+          "${nodeName}-local-vms" = {
+            server = {
+              host =
+                if config.networking.domain == null
+                then "${config.networking.hostName}.local"
+                else config.networking.fqdn;
+              inherit (cfg.networking.wireguard) port;
+              openFirewallRules = ["untrusted-to-local"];
+            };
+            linkName = "local-vms";
          };
-          linkName = "local-vms";
        };
      };
    };
@ -338,6 +344,12 @@ in {
            description = mdDoc "Whether this VM should be started automatically with the host";
          };

+          localWireguard = mkOption {
+            type = types.bool;
+            default = false;
+            description = mdDoc "Whether this VM should be connected to a local wireguard network with other VMs (that opt-in here) on the same host.";
+          };
+
          system = mkOption {
            type = types.str;
            description = mdDoc "The system that this microvm should use";
@ -350,18 +362,20 @@ in {
  config = mkIf (vms != {}) (
    {
      # Define a local wireguard server to communicate with vms securely
-      extra.wireguard."${nodeName}-local-vms" = {
-        server = {
-          host =
-            if config.networking.domain == null
-            then "${config.networking.hostName}.local"
-            else config.networking.fqdn;
-          inherit (cfg.networking.wireguard) openFirewallRules port;
-          reservedAddresses = [cfg.networking.wireguard.cidrv4 cfg.networking.wireguard.cidrv6];
+      extra.wireguard = mkIf (any (x: x.localWireguard) (attrValues vms)) {
+        "${nodeName}-local-vms" = {
+          server = {
+            host =
+              if config.networking.domain == null
+              then "${config.networking.hostName}.local"
+              else config.networking.fqdn;
+            inherit (cfg.networking.wireguard) openFirewallRules port;
+            reservedAddresses = [cfg.networking.wireguard.cidrv4 cfg.networking.wireguard.cidrv6];
+          };
+          linkName = "local-vms";
+          ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
+          ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
        };
-        linkName = "local-vms";
-        ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
-        ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
      };
    }
    // extraLib.mergeToplevelConfigs ["nodes" "disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)