feat: refactor and integrate wireguard module into microvm module

2025-10-11 07:10:39 +02:00 · 2023-05-19 21:10:16 +02:00 · 2023-05-19 21:10:16 +02:00 · 78cdcd3c69
commit 78cdcd3c69
parent e5f3ffd288
10 changed files with 385 additions and 256 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -3,7 +3,6 @@
  inputs,
  lib,
  nixos-hardware,
-  nodeSecrets,
  pkgs,
  ...
 }: {
@ -26,20 +25,18 @@

  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];

-  extra.microvms = let
-    macOffset = config.lib.net.mac.addPrivate nodeSecrets.networking.interfaces.lan.mac;
-  in {
-    test = {
+  extra.microvms = {
+    vms.test = {
+      id = 11;
+      host = "test.local";
+      system = "x86_64-linux";
+      autostart = true;
      zfs = {
        enable = true;
        pool = "rpool";
        dataset = "safe/vms/test";
        mountpoint = "/persist/vms/test";
      };
-      autostart = true;
-      mac = macOffset "00:00:00:00:00:11";
-      macvtap = "lan";
-      system = "x86_64-linux";
    };
  };

@ -99,10 +96,4 @@
  #    };
  #  };
  #};
-
-  #microvm.vms.agag = {
-  #  flake = self;
-  #  updateFlake = microvm;
-  #};
-  #microvm.autostart = ["guest"];
 }
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@ -23,7 +23,7 @@
    };
    zpool = with extraLib.disko.zfs; {
      rpool =
-        encryptedZpool
+        defaultZpoolOptions
        // {
          datasets = {
            "local" = unmountable;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -4,7 +4,7 @@
  nodeSecrets,
  ...
 }: let
-  inherit (config.lib.net) cidr;
+  inherit (config.lib.net) ip cidr;

  net.lan.ipv4cidr = "192.168.100.1/24";
  net.lan.ipv6cidr = "fd00::1/64";
@ -94,6 +94,7 @@ in {
    zones = lib.mkForce {
      lan.interfaces = ["lan-self"];
      wan.interfaces = ["wan"];
+      "local-vms".interfaces = ["wg-local-vms"];
    };

    rules = lib.mkForce {
@ -133,7 +134,6 @@ in {
    };
  };

-  # TODO to microvm!
  services.kea = {
    dhcp4 = {
      enable = true;
@ -153,7 +153,7 @@ in {
        option-data = [
          {
            name = "domain-name-servers";
-            # TODO pihole self
+            # TODO pihole via self
            data = "1.1.1.1, 8.8.8.8";
          }
        ];
@ -161,10 +161,8 @@ in {
          {
            interface = "lan-self";
            subnet = cidr.canonicalize net.lan.ipv4cidr;
-            # TODO calculate this automatically, start at 40 or so
-            # to have enough for reservations
            pools = [
-              {pool = "192.168.100.20 - 192.168.100.250";}
+              {pool = "${cidr.host 20 net.lan.ipv4cidr} - ${cidr.host (-6) net.lan.ipv4cidr}";}
            ];
            option-data = [
              {
@ -172,13 +170,6 @@ in {
                data = cidr.ip net.lan.ipv4cidr;
              }
            ];
-            # TODO reserve addresses for each VM
-            #reservations = [
-            #  {
-            #    duid = "aa:bb:cc:dd:ee:ff";
-            #    ip-address = cidr.ip net.lan.ipv4cidr;
-            #  }
-            #];
          }
        ];
      };
@ -187,13 +178,9 @@ in {

  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-lan.device"];

-  #extra.wireguard.vms = {
-  #  server = {
-  #    enable = true;
-  #    host = "192.168.1.231";
-  #    port = 51822;
-  #    openFirewall = true;
-  #  };
-  #  addresses = ["10.0.0.1/24"];
-  #};
+  extra.microvms.networking = {
+    baseMac = nodeSecrets.networking.interfaces.lan.mac;
+    host = cidr.ip net.lan.ipv4cidr;
+    macvtapInterface = "lan";
+  };
 }