feat: ensure vms come online after deployment even with missing wireguard keys

2025-10-11 07:10:39 +02:00 · 2023-05-21 23:26:51 +02:00 · 2023-05-21 23:26:51 +02:00 · bd8a14deb0
commit bd8a14deb0
parent f3ed1248af
7 changed files with 50 additions and 51 deletions
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@ -171,35 +171,46 @@

        extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;

-        systemd.network.networks."10-${vmCfg.networking.mainLinkName}" =
-          {
-            manual = {};
-            dhcp = {
-              matchConfig.Name = vmCfg.networking.mainLinkName;
-              DHCP = "yes";
-              networkConfig = {
-                IPv6PrivacyExtensions = "yes";
-                IPv6AcceptRA = true;
+        systemd.network.networks = let
+          wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName;
+        in {
+          # Remove requirement for the wireguard interface to come online,
+          # to allow microvms to be deployed more easily (otherwise they
+          # would not come online if the private key wasn't rekeyed yet).
+          # FIXME ideally this would be conditional at runtime if the
+          # agenix activation had an error, but this is not trivial.
+          ${wgConfig}.linkConfig.RequiredForOnline = "no";
+
+          "10-${vmCfg.networking.mainLinkName}" =
+            {
+              manual = {};
+              dhcp = {
+                matchConfig.Name = vmCfg.networking.mainLinkName;
+                DHCP = "yes";
+                networkConfig = {
+                  IPv6PrivacyExtensions = "yes";
+                  IPv6AcceptRA = true;
+                };
+                linkConfig.RequiredForOnline = "routable";
              };
-              linkConfig.RequiredForOnline = "routable";
-            };
-            static = {
-              matchConfig.Name = vmCfg.networking.mainLinkName;
-              address = [
-                "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}"
-                "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}"
-              ];
-              gateway = [
-                cfg.networking.host
-              ];
-              networkConfig = {
-                IPv6PrivacyExtensions = "yes";
-                IPv6AcceptRA = true;
+              static = {
+                matchConfig.Name = vmCfg.networking.mainLinkName;
+                address = [
+                  "${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}"
+                  "${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}"
+                ];
+                gateway = [
+                  cfg.networking.host
+                ];
+                networkConfig = {
+                  IPv6PrivacyExtensions = "yes";
+                  IPv6AcceptRA = true;
+                };
+                linkConfig.RequiredForOnline = "routable";
              };
-              linkConfig.RequiredForOnline = "routable";
-            };
-          }
-          .${vmCfg.networking.mode};
+            }
+            .${vmCfg.networking.mode};
+        };

        # TODO change once microvms are compatible with stage-1 systemd
        boot.initrd.systemd.enable = mkForce false;
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -155,7 +155,7 @@
        };
      };

-    systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = {
+    systemd.network.netdevs."${wgCfg.unitConfName}" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = wgCfg.linkName;
@ -227,7 +227,7 @@
          ];
    };

-    systemd.network.networks."${toString wgCfg.priority}-${wgName}" = {
+    systemd.network.networks."${wgCfg.unitConfName}" = {
      matchConfig.Name = wgCfg.linkName;
      address = map toNetworkAddr wgCfg.addresses;
    };
@ -327,6 +327,16 @@ in {
          description = mdDoc "The name for the created network interface.";
        };

+        unitConfName = mkOption {
+          default = "${toString config.priority}-${config.linkName}";
+          readOnly = true;
+          type = types.str;
+          description = mdDoc ''
+            The name used for unit configuration files. This is a read-only option.
+            Access this if you want to add additional settings to the generated systemd units.
+          '';
+        };
+
        ipv4 = mkOption {
          type = net.types.ipv4;
          description = mdDoc "The ipv4 address for this machine.";