feat: ensure vms come online after deployment even with missing wireguard keys

hosts/ward/default.nix

@@ -37,17 +37,6 @@
     };
   in {
     test = defineVm 11;
-    hi = defineVm 12;
-  };
-
-  microvm.vms.hi.config = {
-    imports = [
-      ../common/core
-      ../../users/root
-    ];
-
-    home-manager.users.root.home.minimal = true;
-    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
   };
 
   microvm.vms.test.config = {

modules/microvms.nix

@@ -171,7 +171,17 @@
 
         extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;
 
-        systemd.network.networks."10-${vmCfg.networking.mainLinkName}" =
+        systemd.network.networks = let
+          wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName;
+        in {
+          # Remove requirement for the wireguard interface to come online,
+          # to allow microvms to be deployed more easily (otherwise they
+          # would not come online if the private key wasn't rekeyed yet).
+          # FIXME ideally this would be conditional at runtime if the
+          # agenix activation had an error, but this is not trivial.
+          ${wgConfig}.linkConfig.RequiredForOnline = "no";
+
+          "10-${vmCfg.networking.mainLinkName}" =
             {
               manual = {};
               dhcp = {
@@ -200,6 +210,7 @@
               };
             }
             .${vmCfg.networking.mode};
+        };
 
         # TODO change once microvms are compatible with stage-1 systemd
         boot.initrd.systemd.enable = mkForce false;

modules/wireguard.nix

@@ -155,7 +155,7 @@
         };
       };
 
-    systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = {
+    systemd.network.netdevs."${wgCfg.unitConfName}" = {
       netdevConfig = {
         Kind = "wireguard";
         Name = wgCfg.linkName;
@@ -227,7 +227,7 @@
           ];
     };
 
-    systemd.network.networks."${toString wgCfg.priority}-${wgName}" = {
+    systemd.network.networks."${wgCfg.unitConfName}" = {
       matchConfig.Name = wgCfg.linkName;
       address = map toNetworkAddr wgCfg.addresses;
     };
@@ -327,6 +327,16 @@ in {
           description = mdDoc "The name for the created network interface.";
         };
 
+        unitConfName = mkOption {
+          default = "${toString config.priority}-${config.linkName}";
+          readOnly = true;
+          type = types.str;
+          description = mdDoc ''
+            The name used for unit configuration files. This is a read-only option.
+            Access this if you want to add additional settings to the generated systemd units.
+          '';
+        };
+
         ipv4 = mkOption {
           type = net.types.ipv4;
           description = mdDoc "The ipv4 address for this machine.";

secrets/wireguard/ward-local-vms/keys/ward-hi.pub

@@ -1 +0,0 @@
-vTtaQGwBCg3t7JVaKg8U1k1Lv41XMdDhiTc4K7mi9Ss=

secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> X25519 +rh+OOkCRYCr2yQyj3XaxJZiZeoeyyPDHXUiQ3SMqAQ
-rs6MQlD8/ccPU/HtdWuOIeX1RWsihBlxZ0MuustxxsQ
--> piv-p256 xqSe8Q AwxXPO3A1XMHGKE8HMtwnXJ8pgyjp2uS/q/GKmCkf+BR
-/54hKpxBptCRfFUt5OdhTyjInf3556nC5vBy43uSgNU
--> I-grease "w0 ./zzhbg ,4iOy/r3
-3ojmDBEzftsdy7oMF8zYU/7Yc92xQku7QIJkXDtO7LgGZGjsng0B+ZiwbRJGxWiL
-AZioiI0KllFnam8rMtHk9w
---- VFUOXs7a5xhlh0wlOVe04hgpB/FCSPhAblqmeuLftac
-ŽxòÁ˜;/�‘óYºµâ°¿ñåóê®îO¬°’º)6ìîüK!Ädžw@þÆÛèûªaëÄLt`§ãrÏÑ$ô*o÷e–{Žª½Ð