From 24655ece76ad134c6ca586628e1ce157a179b43b Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 10 May 2023 02:07:09 +0200
Subject: [PATCH] feat: add macvtap networking to microvms

---
 README.md                          |   1 +
 hosts/common/core/system.nix       |  19 +++++++---
 hosts/ward/default.nix             |  12 ++++++-
 hosts/ward/net.nix                 |  36 +++++++++++++++++--
 hosts/ward/secrets/secrets.nix.age | Bin 658 -> 662 bytes
 modules/microvms.nix               |  54 ++++++++++++++++++-----------
 nix/lib.nix                        |   2 +-
 7 files changed, 95 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index b310dd1..b212e30 100644
--- a/README.md
+++ b/README.md
@@ -67,6 +67,7 @@ This is my personal nix config.
 - (Optional) ssh into the target (keys are already set up)
 - Run `install-system` and reboot
 - Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub`
+- (If the host has microvms, also retrieve their identities!)
 - Rekey the secrets for the new identity `nix run .#rekey`
 - Deploy again remotely via colmena
 
diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix
index ade2851..0a092fb 100644
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@@ -12,10 +12,21 @@
     libWithNet = (import "${inputs.lib-net}/net.nix" {inherit lib;}).lib;
   in
     lib.recursiveUpdate libWithNet {
-      net.cidr = rec {
-        hostCidr = n: x: "${libWithNet.net.cidr.host n x}/${libWithNet.net.cidr.length x}";
-        ip = x: lib.head (lib.splitString "/" x);
-        canonicalize = x: libWithNet.net.cidr.make (libWithNet.net.cidr.length x) (ip x);
+      net = {
+        cidr = rec {
+          hostCidr = n: x: "${libWithNet.net.cidr.host n x}/${libWithNet.net.cidr.length x}";
+          ip = x: lib.head (lib.splitString "/" x);
+          canonicalize = x: libWithNet.net.cidr.make (libWithNet.net.cidr.length x) (ip x);
+        };
+        mac = {
+          # Adds offset to the given base address and ensures the result is in
+          # a locally administered range by replacing the second nibble with a 2.
+          addPrivate = base: offset: let
+            added = libWithNet.net.mac.add base offset;
+            pre = lib.substring 0 1 added;
+            suf = lib.substring 2 (-1) added;
+          in "${pre}2${suf}";
+        };
       };
     };
 
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 7c5c2f5..7b4313b 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -3,6 +3,7 @@
   inputs,
   lib,
   nixos-hardware,
+  nodeSecrets,
   pkgs,
   ...
 }: {
@@ -25,7 +26,16 @@
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
 
-  extra.microvms.test.system = "x86_64-linux";
+  extra.microvms = let
+    macOffset = config.lib.net.mac.addPrivate nodeSecrets.networking.interfaces."wan-nic".mac;
+  in {
+    test = {
+      autostart = true;
+      mac = macOffset "00:00:00:00:00:01";
+      macvtap = "wan";
+      system = "x86_64-linux";
+    };
+  };
 
   #services.authelia.instances.main = {
   #  enable = true;
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 3249c36..e71b5eb 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -13,7 +13,30 @@ in {
 
   boot.initrd.systemd.network = {
     enable = true;
-    networks = {inherit (config.systemd.network.networks) "10-wan";};
+    networks."10-wan" = {
+      DHCP = "yes";
+      #address = [
+      #  "192.168.178.2/24"
+      #  "fd00::1/64"
+      #];
+      #gateway = [
+      #];
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces."wan-nic".mac;
+      networkConfig.IPv6PrivacyExtensions = "kernel";
+      dhcpV4Config.RouteMetric = 20;
+      dhcpV6Config.RouteMetric = 20;
+    };
+  };
+
+  systemd.network.netdevs."10-wan" = {
+    netdevConfig = {
+      Name = "wan";
+      Kind = "macvtap";
+    };
+    extraConfig = ''
+      [MACVTAP]
+      Mode=bridge
+    '';
   };
 
   systemd.network.networks = {
@@ -27,7 +50,14 @@ in {
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
-    "10-wan" = {
+    "10-wan-nic" = {
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces."wan-nic".mac;
+      extraConfig = ''
+        [Network]
+        MACVTAP=wan
+      '';
+    };
+    "11-wan" = {
       DHCP = "yes";
       #address = [
       #  "192.168.178.2/24"
@@ -35,7 +65,7 @@ in {
       #];
       #gateway = [
       #];
-      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wan.mac;
+      matchConfig.Name = "wan";
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 20;
       dhcpV6Config.RouteMetric = 20;
diff --git a/hosts/ward/secrets/secrets.nix.age b/hosts/ward/secrets/secrets.nix.age
index b2649156669be49cbff5f51ac1d6e226dc350e24..a32f4416bb560c4369aa98448d04e026781a9345 100644
GIT binary patch
delta 641
zcmV-{0)G9H1(pSnAb)6WNlQ~WWinKGV{bH2d3I=FbYXgTOlx{|H*!}~NmoQ#L^pF`
zMQvkLK?-Oyb9ioPGB7haIAnHdYguM%V{lYMSSwFfXGSwMRBmrtb!u5gY&A4)X9_Jo
zAaH4REpRe5HXwL$Q)M_&AVF|!YcY0cLo`-tPkCWYT5B*$T7OzNYdA4UZftFKZ&h%0
zQ+Q!`W;b?6Q*a7+R&_IZMpG~~Xh$n@b4)c@OhI^7LrqFUGA~3+HA6OcayUU#S5h`{
zRWu4MJ|HwzPC_?oHZ5mzWnpt=Abn9OOnyfoU}PzLY*a}gTp@i5QhH=HO*1kza93eQ
zQ!8*&WL7gvbbmK*FhgTmNJUs}I72uxFlB5xG)8iFQF2H_F;`1OOhRN>RY_|~SW0MN
zFA6toa%*@`by#dwK~yVxbZRSaHD@<wLTNN*R7hGxSaf%H3N0-yAT>--LqkwDM@4aR
zXh%0rXk=kbadtE>F-m4}ZZTn4Qbc-0HAFLaZc<TM3V&MH*IWMjV1z^2Zzguk>OsIU
zlyGCVhv4)0L(lCH2J(p}l*1qv1$1FN_SIcel<1(Y<(JD(C1Mx#pO=<~M2pIv8iEy+
znC{DUd>rbmb~vQQfyw~^se2@D3RxmXl~!^T5*JD+WBih<E_j63<6jdtdE`@mlW0hO
zlH<%|h<aS+*N8a<{ls=LH=tyAnvE#YXTe7Y4u(q@@U&_&6V-`!g5zO$6v5HQ&XC)_
z!`1nBvApzGW{SujSJ0IkgzJORMd`F4(6dHoP;K`Ib_uCF?CR>)cGw@!f#9t4q}XmX
b2{)--;IeY7m6i-d>sK~CZ->d;spflg)n)&>

delta 637
zcmV-@0)qXP1(F4jAb&DLb~rO}LUcztMRP??Yi=@cc1ur6H(Ehvcu6^DHaBQcOl)j)
zFlu^3MG9$TF)&jyT5D@?Z%b2Sb#ggwVRbT1H8e~#G)hS}Sx{McNlkf1a4%*~FbXX`
zAaH4REpRe5HXwL$Q)M_&AVF+LST|T|P<LroXE-ovNi;cSYJXQRK}%IvP-{46SVl-?
zMqx8<Xi;xcZAA)NS87FMYHc}TPB&v>S1U$zD|&58Nl`{<P*FBYP<S(IL^o+lM`uxL
zcsL3zJ|Iy|T1QVUK5H#!a%Ew2Wgus7XC`biFL)p^NM3zjATd5s3PDA9Yc_ggG+}ml
zLpg3sQE@eIdVecwcy2IdHAG`^K}AwFXis4{S7=pFIB`}>G-Xh9OEp?lQgTI2ST=5H
zFK7yBD{4wMIZ<Roc1>YHbz(MYXIDd2W^7S(Q!h$FYB5YzLNp33EiE8XYEE)?ICFYy
zH8*c&adU1;VPiy1Z(>evFh*rdMS6E_c{f^YH&iw<Vt+IWC*2R*%tinAOtfyyjxY=w
zGq*!mFgZ?n70Ky#`q1x@ggj<Ah~c8W9jRzg0^dQph=ZwAsrZNwrOInN6Z-ZMy}Sni
z&^20Q?nN~vpCp}A0CfTH6~Ya?ces&_v-Szwhw6!uty{}(@n~9|{UPLubsKuMz%E*T
zK-?NQ!*)R4k6YT1e$Fw7Rk1UP<*#P01i7nT-|cH!KFlvMBBw-93!BRoav#s))ce-P
zR`r;+H9900GXH#YSUlCq#H`!Mo-Vt8=b0=@G6atNqkkHbh%%P=w{2<arCW1Qu$aey
XLRsue9RhlOZV1StZ$T51+U~o@Px<({

diff --git a/modules/microvms.nix b/modules/microvms.nix
index 4c1b5aa..0861649 100644
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@@ -1,16 +1,21 @@
 {
-  inputs,
   config,
+  extraLib,
+  inputs,
   lib,
+  microvm,
   nodeName,
   nodePath,
-  microvm,
   pkgs,
   ...
 }: let
   inherit
     (lib)
+    attrNames
+    concatStringsSep
+    filterAttrs
     mapAttrs
+    mapAttrsToList
     mdDoc
     mkDefault
     mkForce
@@ -40,9 +45,9 @@
         interfaces = [
           {
             type = "macvtap";
-            id = "macvtap1";
+            id = "vm-${vmName}";
             macvtap = {
-              link = "wan0";
+              link = vmCfg.macvtap;
               mode = "bridge";
             };
             inherit (vmCfg) mac;
@@ -79,37 +84,46 @@ in {
     description = "Provides a base configuration for MicroVMs.";
     type = types.attrsOf (types.submodule {
       options = {
-        system = mkOption {
-          type = types.str;
-          description = mdDoc "The system that this microvm should use";
+        autostart = mkOption {
+          type = types.bool;
+          default = false;
+          description = mdDoc "Whether this VM should be started automatically with the host";
         };
 
         mac = mkOption {
-          type = types.mac;
+          type = config.lib.net.types.mac;
           description = mdDoc "The MAC address to assign to this VM";
         };
+
+        macvtap = mkOption {
+          type = types.str;
+          description = mdDoc "The macvtap interface to attach to";
+        };
+
+        system = mkOption {
+          type = types.str;
+          description = mdDoc "The system that this microvm should use";
+        };
       };
     });
   };
 
   config = {
+    assertions = let
+      duplicateMacs = extraLib.duplicates (mapAttrsToList (_: vmCfg: vmCfg.mac) cfg);
+    in [
+      {
+        assertion = duplicateMacs == [];
+        message = "Duplicate MicroVM MAC addresses: ${concatStringsSep ", " duplicateMacs}";
+      }
+    ];
+
     microvm = {
       host.enable = cfg != {};
       declarativeUpdates = true;
       restartIfChanged = true;
       vms = mkIf (cfg != {}) (mapAttrs defineMicrovm cfg);
+      autostart = mkIf (cfg != {}) (attrNames (filterAttrs (_: v: v.autostart) cfg));
     };
-
-    #systemd.network.netdevs.jrsptap = {
-    #  netdevConfig = {
-    #    Name = "jrsptap";
-    #    Kind = "macvtap";
-    #    MACAddress = "...";
-    #  };
-    #};
-    #systemd.network.networks.vms = {
-    #  matchConfig.Name = "vms";
-    #  networkConfig.MACVTAP = "jrsptap";
-    #};
   };
 }
diff --git a/nix/lib.nix b/nix/lib.nix
index d5189e2..391eb01 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -37,7 +37,7 @@ in rec {
   in
     foldl' addOrUpdate {} xs;
 
-  # Returns all elements in xs that occur at least once
+  # Returns all elements in xs that occur at least twice
   duplicates = xs: let
     occurrences = countOccurrences xs;
   in