diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index e2578be..3b4faf5 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -37,17 +37,6 @@ }; in { test = defineVm 11; - hi = defineVm 12; - }; - - microvm.vms.hi.config = { - imports = [ - ../common/core - ../../users/root - ]; - - home-manager.users.root.home.minimal = true; - rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; }; microvm.vms.test.config = { diff --git a/modules/microvms.nix b/modules/microvms.nix index 24a3be0..ffb2098 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -171,35 +171,46 @@ extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac; - systemd.network.networks."10-${vmCfg.networking.mainLinkName}" = - { - manual = {}; - dhcp = { - matchConfig.Name = vmCfg.networking.mainLinkName; - DHCP = "yes"; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - IPv6AcceptRA = true; + systemd.network.networks = let + wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName; + in { + # Remove requirement for the wireguard interface to come online, + # to allow microvms to be deployed more easily (otherwise they + # would not come online if the private key wasn't rekeyed yet). + # FIXME ideally this would be conditional at runtime if the + # agenix activation had an error, but this is not trivial. + ${wgConfig}.linkConfig.RequiredForOnline = "no"; + + "10-${vmCfg.networking.mainLinkName}" = + { + manual = {}; + dhcp = { + matchConfig.Name = vmCfg.networking.mainLinkName; + DHCP = "yes"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; - }; - static = { - matchConfig.Name = vmCfg.networking.mainLinkName; - address = [ - "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}" - "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}" - ]; - gateway = [ - cfg.networking.host - ]; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - IPv6AcceptRA = true; + static = { + matchConfig.Name = vmCfg.networking.mainLinkName; + address = [ + "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}" + "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}" + ]; + gateway = [ + cfg.networking.host + ]; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; - }; - } - .${vmCfg.networking.mode}; + } + .${vmCfg.networking.mode}; + }; # TODO change once microvms are compatible with stage-1 systemd boot.initrd.systemd.enable = mkForce false; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 976f16f..b24d78a 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -155,7 +155,7 @@ }; }; - systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = { + systemd.network.netdevs."${wgCfg.unitConfName}" = { netdevConfig = { Kind = "wireguard"; Name = wgCfg.linkName; @@ -227,7 +227,7 @@ ]; }; - systemd.network.networks."${toString wgCfg.priority}-${wgName}" = { + systemd.network.networks."${wgCfg.unitConfName}" = { matchConfig.Name = wgCfg.linkName; address = map toNetworkAddr wgCfg.addresses; }; @@ -327,6 +327,16 @@ in { description = mdDoc "The name for the created network interface."; }; + unitConfName = mkOption { + default = "${toString config.priority}-${config.linkName}"; + readOnly = true; + type = types.str; + description = mdDoc '' + The name used for unit configuration files. This is a read-only option. + Access this if you want to add additional settings to the generated systemd units. + ''; + }; + ipv4 = mkOption { type = net.types.ipv4; description = mdDoc "The ipv4 address for this machine."; diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.age b/secrets/wireguard/ward-local-vms/keys/ward-hi.age deleted file mode 100644 index 95072ef..0000000 Binary files a/secrets/wireguard/ward-local-vms/keys/ward-hi.age and /dev/null differ diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.pub b/secrets/wireguard/ward-local-vms/keys/ward-hi.pub deleted file mode 100644 index 9f3941a..0000000 --- a/secrets/wireguard/ward-local-vms/keys/ward-hi.pub +++ /dev/null @@ -1 +0,0 @@ -vTtaQGwBCg3t7JVaKg8U1k1Lv41XMdDhiTc4K7mi9Ss= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age deleted file mode 100644 index 7dcb589..0000000 --- a/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> X25519 +rh+OOkCRYCr2yQyj3XaxJZiZeoeyyPDHXUiQ3SMqAQ -rs6MQlD8/ccPU/HtdWuOIeX1RWsihBlxZ0MuustxxsQ --> piv-p256 xqSe8Q AwxXPO3A1XMHGKE8HMtwnXJ8pgyjp2uS/q/GKmCkf+BR -/54hKpxBptCRfFUt5OdhTyjInf3556nC5vBy43uSgNU --> I-grease "w0 ./zzhbg ,4iOy/r3 -3ojmDBEzftsdy7oMF8zYU/7Yc92xQku7QIJkXDtO7LgGZGjsng0B+ZiwbRJGxWiL -AZioiI0KllFnam8rMtHk9w ---- VFUOXs7a5xhlh0wlOVe04hgpB/FCSPhAblqmeuLftac -x;/YⰿO)6K!džw@aLt`r$*oe{ \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age b/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age deleted file mode 100644 index 0acc440..0000000 Binary files a/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age and /dev/null differ