From bd8a14deb03688e3bd9fb33272b30494400412ec Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 21 May 2023 23:26:51 +0200 Subject: [PATCH] feat: ensure vms come online after deployment even with missing wireguard keys --- hosts/ward/default.nix | 11 --- modules/microvms.nix | 65 ++++++++++-------- modules/wireguard.nix | 14 +++- .../wireguard/ward-local-vms/keys/ward-hi.age | Bin 422 -> 0 bytes .../wireguard/ward-local-vms/keys/ward-hi.pub | 1 - .../ward-local-vms/psks/ward+ward-hi.age | 10 --- .../ward-local-vms/psks/ward-hi+ward-test.age | Bin 452 -> 0 bytes 7 files changed, 50 insertions(+), 51 deletions(-) delete mode 100644 secrets/wireguard/ward-local-vms/keys/ward-hi.age delete mode 100644 secrets/wireguard/ward-local-vms/keys/ward-hi.pub delete mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age delete mode 100644 secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index e2578be..3b4faf5 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -37,17 +37,6 @@ }; in { test = defineVm 11; - hi = defineVm 12; - }; - - microvm.vms.hi.config = { - imports = [ - ../common/core - ../../users/root - ]; - - home-manager.users.root.home.minimal = true; - rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; }; microvm.vms.test.config = { diff --git a/modules/microvms.nix b/modules/microvms.nix index 24a3be0..ffb2098 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -171,35 +171,46 @@ extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac; - systemd.network.networks."10-${vmCfg.networking.mainLinkName}" = - { - manual = {}; - dhcp = { - matchConfig.Name = vmCfg.networking.mainLinkName; - DHCP = "yes"; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - IPv6AcceptRA = true; + systemd.network.networks = let + wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName; + in { + # Remove requirement for the wireguard interface to come online, + # to allow microvms to be deployed more easily (otherwise they + # would not come online if the private key wasn't rekeyed yet). + # FIXME ideally this would be conditional at runtime if the + # agenix activation had an error, but this is not trivial. + ${wgConfig}.linkConfig.RequiredForOnline = "no"; + + "10-${vmCfg.networking.mainLinkName}" = + { + manual = {}; + dhcp = { + matchConfig.Name = vmCfg.networking.mainLinkName; + DHCP = "yes"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; - }; - static = { - matchConfig.Name = vmCfg.networking.mainLinkName; - address = [ - "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}" - "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}" - ]; - gateway = [ - cfg.networking.host - ]; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - IPv6AcceptRA = true; + static = { + matchConfig.Name = vmCfg.networking.mainLinkName; + address = [ + "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}" + "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}" + ]; + gateway = [ + cfg.networking.host + ]; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; - }; - } - .${vmCfg.networking.mode}; + } + .${vmCfg.networking.mode}; + }; # TODO change once microvms are compatible with stage-1 systemd boot.initrd.systemd.enable = mkForce false; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 976f16f..b24d78a 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -155,7 +155,7 @@ }; }; - systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = { + systemd.network.netdevs."${wgCfg.unitConfName}" = { netdevConfig = { Kind = "wireguard"; Name = wgCfg.linkName; @@ -227,7 +227,7 @@ ]; }; - systemd.network.networks."${toString wgCfg.priority}-${wgName}" = { + systemd.network.networks."${wgCfg.unitConfName}" = { matchConfig.Name = wgCfg.linkName; address = map toNetworkAddr wgCfg.addresses; }; @@ -327,6 +327,16 @@ in { description = mdDoc "The name for the created network interface."; }; + unitConfName = mkOption { + default = "${toString config.priority}-${config.linkName}"; + readOnly = true; + type = types.str; + description = mdDoc '' + The name used for unit configuration files. This is a read-only option. + Access this if you want to add additional settings to the generated systemd units. + ''; + }; + ipv4 = mkOption { type = net.types.ipv4; description = mdDoc "The ipv4 address for this machine."; diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.age b/secrets/wireguard/ward-local-vms/keys/ward-hi.age deleted file mode 100644 index 95072ef24c278237eb6423be7ded24d433cc8fba..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 422 zcmWm7J&%)M003YYO(bzTolFdaP8B&?c%cr)9uz`*rKM0lnp;}>9-rlfLd#p?X3oWr z!Ni=4gD(C62M1$x^JdK@Zhj0mtG~e9^9P=p4=I>>t8G?>D7}MLKD}WG>K^GdIgV+Q zJPf(L-M!S^lrg|8W9W5v4r)1-lW3sue5<#pti(yJkR`InNnA_Q?Y`34%C5RKeO%U{ zU0PwF2E)KZBIvAJ1{1mGLl$nRtjPfq=LQsXvLh@|403*W;cz zmo!~n&MH+gQy91`nybS~DP+gm?I9cRP(ef5afuiIt{m;0f`cD#u73Fyzq@$%(amS} zt^7>d5yA_%xodyY_V?E(H!iP#fBSkC{Cs(Ea{TcrIyyZT-nZU9zyIOVr_X=s>kl3; Jp1jH*{s#&5l}Z2r diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.pub b/secrets/wireguard/ward-local-vms/keys/ward-hi.pub deleted file mode 100644 index 9f3941a..0000000 --- a/secrets/wireguard/ward-local-vms/keys/ward-hi.pub +++ /dev/null @@ -1 +0,0 @@ -vTtaQGwBCg3t7JVaKg8U1k1Lv41XMdDhiTc4K7mi9Ss= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age deleted file mode 100644 index 7dcb589..0000000 --- a/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> X25519 +rh+OOkCRYCr2yQyj3XaxJZiZeoeyyPDHXUiQ3SMqAQ -rs6MQlD8/ccPU/HtdWuOIeX1RWsihBlxZ0MuustxxsQ --> piv-p256 xqSe8Q AwxXPO3A1XMHGKE8HMtwnXJ8pgyjp2uS/q/GKmCkf+BR -/54hKpxBptCRfFUt5OdhTyjInf3556nC5vBy43uSgNU --> I-grease "w0 ./zzhbg ,4iOy/r3 -3ojmDBEzftsdy7oMF8zYU/7Yc92xQku7QIJkXDtO7LgGZGjsng0B+ZiwbRJGxWiL -AZioiI0KllFnam8rMtHk9w ---- VFUOXs7a5xhlh0wlOVe04hgpB/FCSPhAblqmeuLftac -x;/YⰿO)6K!džw@aLt`r$*oe{ \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age b/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age deleted file mode 100644 index 0acc4406cee145c9f51825070e73886e1949598f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 452 zcmXBNO^cLZ007|VC_zw%y@f1Mux5UZ?`VgGamLk|(b1X7O@$yw9mgFH*o@Ydy zFUsO3fk{n@4yDT`P+@Q4l5MEgZ+uuP&x47ze1&=pogU(>V+$0!yg z2PUd+aU3$@4z=tOGr+C?4KOZA$npTM^JyrI@eb{nYFIIXRmzlr6x3_m-h6@TP0R3+ z#Gyd99ToKZwM$?@&m0)-)l@RN2jP%iXt6c4flN0+N~<%uEk%^f@JP4+Ul(@t1oAN% zq0n20_#EIqkj1bp0-RlJyWtgtF?v&^Ge-u_N@J@rq?QB6Hwi1dHfBL2i1A!oRf&=r zJ*^DX#;Zq3KFWrTg7!>|BuU&+NBgbf(5O`b4!s0g$~0#yCaxvgmQ}%CGtFM73i!Cp zu-|9iUOfDM{Z;>BLX3`m^=<)~~1T>7$d|FQ0w;3pp5{1poj5