From 88f1ac54b89681a8614f4a52248546e36fc07b0b Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 21 May 2023 01:29:54 +0200 Subject: [PATCH] fix: remove faulty agenix directory early and only if necessary chore: change default microvm naming scheme to - --- flake.nix | 12 ++++++------ hosts/common/core/system.nix | 4 ++-- hosts/ward/default.nix | 11 ++++++----- modules/microvms.nix | 14 ++++++++++++-- modules/wireguard.nix | 15 ++------------- nix/secrets.nix | 3 ++- .../keys/{ward-microvm-test.age => ward-test.age} | 0 .../keys/{ward-microvm-test.pub => ward-test.pub} | 0 ...d+ward-microvm-test.age => ward+ward-test.age} | 0 9 files changed, 30 insertions(+), 29 deletions(-) rename secrets/wireguard/ward-local-vms/keys/{ward-microvm-test.age => ward-test.age} (100%) rename secrets/wireguard/ward-local-vms/keys/{ward-microvm-test.pub => ward-test.pub} (100%) rename secrets/wireguard/ward-local-vms/psks/{ward+ward-microvm-test.age => ward+ward-test.age} (100%) diff --git a/flake.nix b/flake.nix index ad14c13..b6abfda 100644 --- a/flake.nix +++ b/flake.nix @@ -108,12 +108,12 @@ colmena = import ./nix/colmena.nix inputs; colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes; microvmNodes = - nixpkgs.lib.concatMapAttrs ( - nodeName: nodeAttrs: - nixpkgs.lib.mapAttrs' - (n: nixpkgs.lib.nameValuePair "${nodeName}-microvm-${n}") - (self.colmenaNodes.${nodeName}.config.microvm.vms or {}) - ) + nixpkgs.lib.concatMapAttrs + (nodeName: nodeAttrs: + nixpkgs.lib.mapAttrs' + # TODO This is duplicated three times. This is microvm naming #3 + (n: nixpkgs.lib.nameValuePair "${nodeName}-${n}") + (self.colmenaNodes.${nodeName}.config.microvm.vms or {})) self.colmenaNodes; nodes = self.colmenaNodes // self.microvmNodes; diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index b5fd08a..54c9823 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -210,8 +210,8 @@ # to create a link called /run/agenix. Agenix should probably fail in this case, # but doesn't and instead puts the generation link into the existing directory. # TODO See https://github.com/ryantm/agenix/pull/187. - system.activationScripts.removeAgenixLink.text = "[[ -d /run/agenix ]] && rm -rf /run/agenix"; - system.activationScripts.agenixInstall.deps = ["removeAgenixLink"]; + system.activationScripts.removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix"; + system.activationScripts.agenixNewGeneration.deps = ["removeAgenixLink"]; # Disable sudo which is entierly unnecessary. security.sudo.enable = false; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 890fa18..0a35b4a 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -25,17 +25,18 @@ boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; - extra.microvms = { - vms.test = { - id = 11; + extra.microvms.vms = let + defineVm = id: { + inherit id; system = "x86_64-linux"; autostart = true; zfs = { enable = true; pool = "rpool"; - dataset = "safe/vms/test"; - mountpoint = "/persist/vms/test"; }; }; + in { + test = defineVm 11; + #hi = defineVm 12; }; } diff --git a/modules/microvms.nix b/modules/microvms.nix index fc93bd0..2233a5b 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -48,6 +48,7 @@ # TODO needed for boot false # When installing a microvm, make sure that its persitent zfs dataset exists + # TODO make this an activation function before mounting stuff. systemd.services."install-microvm-${vmName}".preStart = let poolDataset = "${vmCfg.zfs.pool}/${vmCfg.zfs.dataset}"; in @@ -60,8 +61,11 @@ microvm.vms.${vmName} = let node = (import ../nix/generate-node.nix inputs) - "${nodeName}-microvm-${vmName}" { + # TODO This is duplicated three times. This is microvm naming #1 + "${nodeName}-${vmName}" + { inherit (vmCfg) system; + # TODO make this configurable (or even disableable) config = nodePath + "/microvms/${vmName}"; }; mac = net.mac.addPrivate vmCfg.id cfg.networking.baseMac; @@ -282,7 +286,11 @@ in { vms = mkOption { default = {}; description = "Defines the actual vms and handles the necessary base setup for them."; - type = types.attrsOf (types.submodule ({config, ...}: { + type = types.attrsOf (types.submodule ({ + name, + config, + ... + }: { options = { id = mkOption { type = @@ -362,11 +370,13 @@ in { dataset = mkOption { type = types.str; + default = "safe/vms/${name}"; description = mdDoc "The host's dataset that should be used for this vm's state (will automatically be created, parent dataset must exist)"; }; mountpoint = mkOption { type = types.str; + default = "/persist/vms/${name}"; description = mdDoc "The host's mountpoint for the vm's dataset (will be shared via virtofs as /persist in the vm)"; }; }; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 4cffe87..976f16f 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -46,6 +46,7 @@ associatedServerNodes externalPeerName externalPeerNamesRaw + networkCidrs peerPresharedKeyPath peerPresharedKeySecret peerPrivateKeyPath @@ -124,9 +125,7 @@ assertion = isClient -> ((wgCfgOf wgCfg.client.via).server.host != null); message = "${assertionPrefix}: The specified via node '${wgCfg.client.via}' must be a wireguard server."; } - # TODO externalPeers != {} -> ip forwarding - # TODO no overlapping cidrs in (external peers + peers using via = this). - # TODO no overlapping cidrs between server nodes + # TODO at least 3 network participants and (externalPeers != {} or someone has via set to us) -> ip forwarding ]; networking.firewall.allowedUDPPorts = @@ -314,16 +313,6 @@ in { type = types.bool; description = mdDoc "Whether to keep this connection alive using PersistentKeepalive. Set to false only for networks where client and server IPs are stable."; }; - - # TODO one option for allowing it, but also one to allow defining two - # profiles / interfaces that can be activated manually. - #routeAllTraffic = mkOption { - # default = false; - # type = types.bool; - # description = mdDoc '' - # Whether to allow routing all traffic through the via server. - # ''; - #}; }; priority = mkOption { diff --git a/nix/secrets.nix b/nix/secrets.nix index 440648c..a72b887 100644 --- a/nix/secrets.nix +++ b/nix/secrets.nix @@ -53,7 +53,8 @@ # Returns all defined microvms with name and definition for a given node microvmDefsFor = nodeName: map - (microvmName: nameValuePair "${nodeName}-microvm-${microvmName}" ../hosts/${nodeName}/microvms/${microvmName}) + # TODO This is duplicated three times. This is microvm naming #2 + (microvmName: nameValuePair "${nodeName}-${microvmName}" ../hosts/${nodeName}/microvms/${microvmName}) (microvmsFor nodeName); # A attrset mapping all microvm nodes to its definition folder microvms = listToAttrs (concatMap microvmDefsFor nodesWithMicrovms); diff --git a/secrets/wireguard/ward-local-vms/keys/ward-microvm-test.age b/secrets/wireguard/ward-local-vms/keys/ward-test.age similarity index 100% rename from secrets/wireguard/ward-local-vms/keys/ward-microvm-test.age rename to secrets/wireguard/ward-local-vms/keys/ward-test.age diff --git a/secrets/wireguard/ward-local-vms/keys/ward-microvm-test.pub b/secrets/wireguard/ward-local-vms/keys/ward-test.pub similarity index 100% rename from secrets/wireguard/ward-local-vms/keys/ward-microvm-test.pub rename to secrets/wireguard/ward-local-vms/keys/ward-test.pub diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-microvm-test.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-test.age similarity index 100% rename from secrets/wireguard/ward-local-vms/psks/ward+ward-microvm-test.age rename to secrets/wireguard/ward-local-vms/psks/ward+ward-test.age