mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat(microvms): remove localWireguard option

Browse source
This commit is contained in:
oddlama 2023-12-07 16:58:05 +01:00
parent 9f6f3de5e3
commit 4e24271f08
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 20 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/config/microvms.nix
View file

@ -1,7 +0,0 @@
{
# If the host defines microvms, ensure that our modules and
# boilerplate stuff is imported automatically.
meta.microvms.commonImports = [
../.
];
}

1
modules/default.nix
View file

@ -16,7 +16,6 @@
./config/impermanence.nix ./config/impermanence.nix
./config/inputrc.nix ./config/inputrc.nix
./config/issue.nix ./config/issue.nix
./config/microvms.nix
./config/net.nix ./config/net.nix
./config/nftables.nix ./config/nftables.nix
./config/nix.nix ./config/nix.nix

4
modules/meta/kanidm.nix
View file

@ -33,7 +33,7 @@
mkIf mkIf
mkMerge mkMerge
mkOption mkOption
mkPackageOptionMD mkPackageOption
optional optional
optionals optionals
subtractLists subtractLists
@ -272,7 +272,7 @@ in {
enableServer = mkEnableOption (mdDoc "the Kanidm server"); enableServer = mkEnableOption (mdDoc "the Kanidm server");
enablePam = mkEnableOption (mdDoc "the Kanidm PAM and NSS integration"); enablePam = mkEnableOption (mdDoc "the Kanidm PAM and NSS integration");
package = mkPackageOptionMD pkgs "kanidm" {}; package = mkPackageOption pkgs "kanidm" {};
provision = { provision = {
enable = mkEnableOption "provisioning of systems (oauth2), groups and users"; enable = mkEnableOption "provisioning of systems (oauth2), groups and users";

85
modules/meta/microvms.nix
View file

@ -9,9 +9,7 @@
}: let }: let
inherit inherit
(lib) (lib)
any
attrNames attrNames
attrValues
disko disko
escapeShellArg escapeShellArg
makeBinPath makeBinPath
@ -25,11 +23,9 @@
mkOption mkOption
net net
optional optional
optionalAttrs
types types
; ;
parentConfig = config;
cfg = config.meta.microvms; cfg = config.meta.microvms;
nodeName = config.node.name; nodeName = config.node.name;
inherit (cfg) vms; inherit (cfg) vms;
@ -98,7 +94,7 @@
}; };
pkgs = inputs.self.pkgs.${vmCfg.system}; pkgs = inputs.self.pkgs.${vmCfg.system};
inherit (vmCfg) autostart; inherit (vmCfg) autostart;
config = {config, ...}: { config = {
imports = cfg.commonImports ++ vmCfg.modules; imports = cfg.commonImports ++ vmCfg.modules;
node.name = vmCfg.nodeName; node.name = vmCfg.nodeName;
@ -165,50 +161,25 @@
networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac; networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;
systemd.network.networks = systemd.network.networks = {
{ "10-${vmCfg.networking.mainLinkName}" = {
"10-${vmCfg.networking.mainLinkName}" = { matchConfig.MACAddress = mac;
matchConfig.MACAddress = mac; DHCP = "yes";
DHCP = "yes"; dhcpV4Config.UseDNS = false;
dhcpV4Config.UseDNS = false; dhcpV6Config.UseDNS = false;
dhcpV6Config.UseDNS = false; ipv6AcceptRAConfig.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false; networkConfig = {
networkConfig = { IPv6PrivacyExtensions = "yes";
IPv6PrivacyExtensions = "yes"; MulticastDNS = true;
MulticastDNS = true; IPv6AcceptRA = true;
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
}
// optionalAttrs vmCfg.localWireguard {
# Remove requirement for the wireguard interface to come online,
# to allow microvms to be deployed more easily (otherwise they
# would not come online if the private key wasn't rekeyed yet).
# FIXME ideally this would be conditional at runtime if the
# agenix activation had an error, but this is not trivial.
${parentConfig.meta.wireguard."${nodeName}-local-vms".unitConfName} = {
linkConfig.RequiredForOnline = "no";
}; };
linkConfig.RequiredForOnline = "routable";
}; };
};
networking.nftables.firewall = { networking.nftables.firewall = {
zones.untrusted.interfaces = [vmCfg.networking.mainLinkName]; zones.untrusted.interfaces = [vmCfg.networking.mainLinkName];
}; };
meta.wireguard = mkIf vmCfg.localWireguard {
"${nodeName}-local-vms" = {
server = {
host =
if config.networking.domain == null
then "${config.networking.hostName}.local"
else config.networking.fqdn;
inherit (cfg.networking.wireguard) port;
openFirewallRules = ["untrusted-to-local"];
};
linkName = "local-vms";
};
};
}; };
}; };
}; };
@ -318,12 +289,6 @@ in {
description = mdDoc "Whether this VM should be started automatically with the host"; description = mdDoc "Whether this VM should be started automatically with the host";
}; };
localWireguard = mkOption {
type = types.bool;
default = false;
description = mdDoc "Whether this VM should be connected to a local wireguard network with other VMs (that opt-in here) on the same host.";
};
system = mkOption { system = mkOption {
type = types.str; type = types.str;
description = mdDoc "The system that this microvm should use"; description = mdDoc "The system that this microvm should use";
@ -339,25 +304,5 @@ in {
}; };
}; };
config = mkIf (vms != {}) ( config = mkIf (vms != {}) (mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms));
{
# Define a local wireguard server to communicate with vms securely
meta.wireguard = mkIf (any (x: x.localWireguard) (attrValues vms)) {
"${nodeName}-local-vms" = {
server = {
host =
if config.networking.domain == null
then "${config.networking.hostName}.local"
else config.networking.fqdn;
inherit (cfg.networking.wireguard) openFirewallRules port;
reservedAddresses = [cfg.networking.wireguard.cidrv4 cfg.networking.wireguard.cidrv6];
};
linkName = "local-vms";
ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
};
};
}
// mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
);
} }

2
modules/meta/wireguard-proxy.nix
View file

@ -21,7 +21,7 @@ in {
default = {}; default = {};
description = mdDoc '' description = mdDoc ''
Each entry here will setup a wireguard network that connects via the Each entry here will setup a wireguard network that connects via the
given node and adds appropriate firewall zones. There will a zone for given node and adds appropriate firewall zones. There will be a zone for
the interface and one for the proxy server specifically. A corresponding the interface and one for the proxy server specifically. A corresponding
rule `''${name}-to-local` will be created to easily expose services to the proxy. rule `''${name}-to-local` will be created to easily expose services to the proxy.
''; '';

4
nix/hosts.nix
View file

@ -49,8 +49,8 @@ inputs: let
nixosConfigurationsMinimal = flip mapAttrs nixosHosts (mkHost {minimal = true;}); nixosConfigurationsMinimal = flip mapAttrs nixosHosts (mkHost {minimal = true;});
# True NixOS nodes can define additional microvms (guest nodes) that are built # True NixOS nodes can define additional microvms (guest nodes) that are built
# together with the true host. We collect all defined microvm nodes # together with it. We collect all defined microvm nodes from each node here
# from each node here to allow accessing any node via the unified attribute `nodes`. # to allow accessing any node via the unified attribute `nodes`.
microvmConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node: microvmConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node:
mapAttrs' mapAttrs'
(vm: def: nameValuePair def.nodeName node.config.microvm.vms.${vm}.config) (vm: def: nameValuePair def.nodeName node.config.microvm.vms.${vm}.config)