From 4e24271f089075e80cb29695862a4fed6ff64f2e Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 7 Dec 2023 16:58:05 +0100 Subject: [PATCH] feat(microvms): remove localWireguard option --- modules/config/microvms.nix | 7 --- modules/default.nix | 1 - modules/meta/kanidm.nix | 4 +- modules/meta/microvms.nix | 85 ++++++-------------------------- modules/meta/wireguard-proxy.nix | 2 +- nix/hosts.nix | 4 +- 6 files changed, 20 insertions(+), 83 deletions(-) delete mode 100644 modules/config/microvms.nix diff --git a/modules/config/microvms.nix b/modules/config/microvms.nix deleted file mode 100644 index c71c5e5..0000000 --- a/modules/config/microvms.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - # If the host defines microvms, ensure that our modules and - # boilerplate stuff is imported automatically. - meta.microvms.commonImports = [ - ../. - ]; -} diff --git a/modules/default.nix b/modules/default.nix index b2f31e7..eec41fd 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -16,7 +16,6 @@ ./config/impermanence.nix ./config/inputrc.nix ./config/issue.nix - ./config/microvms.nix ./config/net.nix ./config/nftables.nix ./config/nix.nix diff --git a/modules/meta/kanidm.nix b/modules/meta/kanidm.nix index b28f842..0174dbf 100644 --- a/modules/meta/kanidm.nix +++ b/modules/meta/kanidm.nix @@ -33,7 +33,7 @@ mkIf mkMerge mkOption - mkPackageOptionMD + mkPackageOption optional optionals subtractLists @@ -272,7 +272,7 @@ in { enableServer = mkEnableOption (mdDoc "the Kanidm server"); enablePam = mkEnableOption (mdDoc "the Kanidm PAM and NSS integration"); - package = mkPackageOptionMD pkgs "kanidm" {}; + package = mkPackageOption pkgs "kanidm" {}; provision = { enable = mkEnableOption "provisioning of systems (oauth2), groups and users"; diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix index 03c6df0..78b6f89 100644 --- a/modules/meta/microvms.nix +++ b/modules/meta/microvms.nix @@ -9,9 +9,7 @@ }: let inherit (lib) - any attrNames - attrValues disko escapeShellArg makeBinPath @@ -25,11 +23,9 @@ mkOption net optional - optionalAttrs types ; - parentConfig = config; cfg = config.meta.microvms; nodeName = config.node.name; inherit (cfg) vms; @@ -98,7 +94,7 @@ }; pkgs = inputs.self.pkgs.${vmCfg.system}; inherit (vmCfg) autostart; - config = {config, ...}: { + config = { imports = cfg.commonImports ++ vmCfg.modules; node.name = vmCfg.nodeName; @@ -165,50 +161,25 @@ networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac; - systemd.network.networks = - { - "10-${vmCfg.networking.mainLinkName}" = { - matchConfig.MACAddress = mac; - DHCP = "yes"; - dhcpV4Config.UseDNS = false; - dhcpV6Config.UseDNS = false; - ipv6AcceptRAConfig.UseDNS = false; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - MulticastDNS = true; - IPv6AcceptRA = true; - }; - linkConfig.RequiredForOnline = "routable"; - }; - } - // optionalAttrs vmCfg.localWireguard { - # Remove requirement for the wireguard interface to come online, - # to allow microvms to be deployed more easily (otherwise they - # would not come online if the private key wasn't rekeyed yet). - # FIXME ideally this would be conditional at runtime if the - # agenix activation had an error, but this is not trivial. - ${parentConfig.meta.wireguard."${nodeName}-local-vms".unitConfName} = { - linkConfig.RequiredForOnline = "no"; + systemd.network.networks = { + "10-${vmCfg.networking.mainLinkName}" = { + matchConfig.MACAddress = mac; + DHCP = "yes"; + dhcpV4Config.UseDNS = false; + dhcpV6Config.UseDNS = false; + ipv6AcceptRAConfig.UseDNS = false; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + IPv6AcceptRA = true; }; + linkConfig.RequiredForOnline = "routable"; }; + }; networking.nftables.firewall = { zones.untrusted.interfaces = [vmCfg.networking.mainLinkName]; }; - - meta.wireguard = mkIf vmCfg.localWireguard { - "${nodeName}-local-vms" = { - server = { - host = - if config.networking.domain == null - then "${config.networking.hostName}.local" - else config.networking.fqdn; - inherit (cfg.networking.wireguard) port; - openFirewallRules = ["untrusted-to-local"]; - }; - linkName = "local-vms"; - }; - }; }; }; }; @@ -318,12 +289,6 @@ in { description = mdDoc "Whether this VM should be started automatically with the host"; }; - localWireguard = mkOption { - type = types.bool; - default = false; - description = mdDoc "Whether this VM should be connected to a local wireguard network with other VMs (that opt-in here) on the same host."; - }; - system = mkOption { type = types.str; description = mdDoc "The system that this microvm should use"; @@ -339,25 +304,5 @@ in { }; }; - config = mkIf (vms != {}) ( - { - # Define a local wireguard server to communicate with vms securely - meta.wireguard = mkIf (any (x: x.localWireguard) (attrValues vms)) { - "${nodeName}-local-vms" = { - server = { - host = - if config.networking.domain == null - then "${config.networking.hostName}.local" - else config.networking.fqdn; - inherit (cfg.networking.wireguard) openFirewallRules port; - reservedAddresses = [cfg.networking.wireguard.cidrv4 cfg.networking.wireguard.cidrv6]; - }; - linkName = "local-vms"; - ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4; - ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6; - }; - }; - } - // mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms) - ); + config = mkIf (vms != {}) (mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)); } diff --git a/modules/meta/wireguard-proxy.nix b/modules/meta/wireguard-proxy.nix index b2bbc93..60a3a44 100644 --- a/modules/meta/wireguard-proxy.nix +++ b/modules/meta/wireguard-proxy.nix @@ -21,7 +21,7 @@ in { default = {}; description = mdDoc '' Each entry here will setup a wireguard network that connects via the - given node and adds appropriate firewall zones. There will a zone for + given node and adds appropriate firewall zones. There will be a zone for the interface and one for the proxy server specifically. A corresponding rule `''${name}-to-local` will be created to easily expose services to the proxy. ''; diff --git a/nix/hosts.nix b/nix/hosts.nix index b9b4124..13eb6d6 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -49,8 +49,8 @@ inputs: let nixosConfigurationsMinimal = flip mapAttrs nixosHosts (mkHost {minimal = true;}); # True NixOS nodes can define additional microvms (guest nodes) that are built - # together with the true host. We collect all defined microvm nodes - # from each node here to allow accessing any node via the unified attribute `nodes`. + # together with it. We collect all defined microvm nodes from each node here + # to allow accessing any node via the unified attribute `nodes`. microvmConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node: mapAttrs' (vm: def: nameValuePair def.nodeName node.config.microvm.vms.${vm}.config)