From f3ed1248af66b46c5283e44e287e9642721a745e Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 21 May 2023 22:57:40 +0200 Subject: [PATCH] feat: properly ensure vm zfs dataset exists --- hosts/ward/default.nix | 12 +++- hosts/ward/fs.nix | 18 +++--- modules/microvms.nix | 52 ++++++++++++++---- nix/apps/format-secrets.nix | 2 +- nix/lib.nix | 4 +- .../wireguard/ward-local-vms/keys/ward-hi.age | Bin 0 -> 422 bytes .../wireguard/ward-local-vms/keys/ward-hi.pub | 1 + .../ward-local-vms/psks/ward+ward-hi.age | 10 ++++ .../ward-local-vms/psks/ward-hi+ward-test.age | Bin 0 -> 452 bytes 9 files changed, 74 insertions(+), 25 deletions(-) create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-hi.age create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-hi.pub create mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 885eccc..e2578be 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -37,7 +37,17 @@ }; in { test = defineVm 11; - #hi = defineVm 12; + hi = defineVm 12; + }; + + microvm.vms.hi.config = { + imports = [ + ../common/core + ../../users/root + ]; + + home-manager.users.root.home.minimal = true; + rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; }; microvm.vms.test.config = { diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix index 3e1bce8..f21e693 100644 --- a/hosts/ward/fs.nix +++ b/hosts/ward/fs.nix @@ -44,16 +44,14 @@ fileSystems."/persist".neededForBoot = true; # After importing the rpool, rollback the root system to be empty. - boot.initrd.systemd.services = { - impermanence-root = { - wantedBy = ["initrd.target"]; - after = ["zfs-import-rpool.service"]; - before = ["sysroot.mount"]; - unitConfig.DefaultDependencies = "no"; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank"; - }; + boot.initrd.systemd.services.impermanence-root = { + wantedBy = ["initrd.target"]; + after = ["zfs-import-rpool.service"]; + before = ["sysroot.mount"]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank"; }; }; } diff --git a/modules/microvms.nix b/modules/microvms.nix index 119ebe4..24a3be0 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -7,6 +7,7 @@ nodeName, nodePath, pkgs, + utils, ... }: let inherit @@ -16,6 +17,7 @@ escapeShellArg filterAttrs foldl' + makeBinPath mapAttrsToList mdDoc mkDefault @@ -42,21 +44,49 @@ extraLib.disko.zfs.filesystem vmCfg.zfs.mountpoint; }; - # TODO not cool, this might change or require more creation options. - # TODO better to only add disko and a mount point requirement. - # TODO the user can do the rest if required. - # TODO needed for boot false - - # When installing a microvm, make sure that its persitent zfs dataset exists - # TODO make this an activation function before mounting stuff. - systemd.services."install-microvm-${vmName}".preStart = let + # Ensure that the zfs dataset exists before it is mounted. + systemd.services = let + fsMountUnit = "${utils.escapeSystemdPath vmCfg.zfs.mountpoint}.mount"; poolDataset = "${vmCfg.zfs.pool}/${vmCfg.zfs.dataset}"; - in - mkIf vmCfg.zfs.enable '' + diskoDataset = config.disko.devices.zpool.${vmCfg.zfs.pool}.datasets.${vmCfg.zfs.dataset}; + createDatasetScript = pkgs.writeShellScript "create-microvm-${vmName}-zfs-dataset" '' + export PATH=${makeBinPath (diskoDataset._pkgs pkgs)}":$PATH" if ! ${pkgs.zfs}/bin/zfs list -H -o type ${escapeShellArg poolDataset} &>/dev/null ; then - ${config.disko.devices.zpool.${vmCfg.zfs.pool}.datasets.${vmCfg.zfs.dataset}._create {zpool = vmCfg.zfs.pool;}} + ${diskoDataset._create {zpool = vmCfg.zfs.pool;}} fi + chmod 700 ${escapeShellArg vmCfg.zfs.mountpoint} ''; + in + mkIf vmCfg.zfs.enable { + # Ensure that the zfs dataset exists before it is mounted. + "zfs-ensure-${utils.escapeSystemdPath vmCfg.zfs.mountpoint}" = let + fsMountUnit = "${utils.escapeSystemdPath vmCfg.zfs.mountpoint}.mount"; + poolDataset = "${vmCfg.zfs.pool}/${vmCfg.zfs.dataset}"; + diskoDataset = config.disko.devices.zpool.${vmCfg.zfs.pool}.datasets.${vmCfg.zfs.dataset}; + createDatasetScript = pkgs.writeShellScript "create-microvm-${vmName}-zfs-dataset" '' + export PATH=${makeBinPath [pkgs.zfs]}":$PATH" + if ! zfs list -H -o type ${escapeShellArg poolDataset} &>/dev/null ; then + ${diskoDataset._create {zpool = vmCfg.zfs.pool;}} + fi + chmod 700 ${escapeShellArg vmCfg.zfs.mountpoint} + ''; + in + mkIf vmCfg.zfs.enable { + wantedBy = [fsMountUnit]; + before = [fsMountUnit]; + after = ["zfs-import-${utils.escapeSystemdPath vmCfg.zfs.pool}.service"]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${createDatasetScript}"; + }; + }; + + "microvm@${vmName}" = { + requires = [fsMountUnit]; + after = [fsMountUnit]; + }; + }; microvm.vms.${vmName} = let # Loads configuration from a subfolder of this nodes configuration, if it exists. diff --git a/nix/apps/format-secrets.nix b/nix/apps/format-secrets.nix index 778dbec..d69f16a 100644 --- a/nix/apps/format-secrets.nix +++ b/nix/apps/format-secrets.nix @@ -12,7 +12,7 @@ in [[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; } for f in $(find . -type f -name '*.nix.age'); do echo "Formatting $f ..." - decrypted=$(${../rage-decrypt-and-cache.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \ + decrypted=$(${../rage-decrypt-and-cache.sh} --print-out-path "$f" ${concatStringsSep " " self.secretsConfig.masterIdentities}) \ || { echo "error: Failed to decrypt!" >&2; exit 1; } formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \ || { echo "error: Failed to format $decrypted!" >&2; exit 1; } diff --git a/nix/lib.nix b/nix/lib.nix index edae4fd..1847ca1 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -119,7 +119,7 @@ in rec { }; }; - rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities; + rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secretsConfig.masterIdentities; rageExtraEncryptionPubkeys = concatMapStrings ( x: @@ -127,7 +127,7 @@ in rec { then ''-R ${escapeShellArg x} '' else ''-r ${escapeShellArg x} '' ) - self.secrets.extraEncryptionPubkeys; + self.secretsConfig.extraEncryptionPubkeys; # The arguments required to de-/encrypt a secret in this repository rageDecryptArgs = "${rageMasterIdentityArgs}"; rageEncryptArgs = "${rageMasterIdentityArgs} ${rageExtraEncryptionPubkeys}"; diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.age b/secrets/wireguard/ward-local-vms/keys/ward-hi.age new file mode 100644 index 0000000000000000000000000000000000000000..95072ef24c278237eb6423be7ded24d433cc8fba GIT binary patch literal 422 zcmWm7J&%)M003YYO(bzTolFdaP8B&?c%cr)9uz`*rKM0lnp;}>9-rlfLd#p?X3oWr z!Ni=4gD(C62M1$x^JdK@Zhj0mtG~e9^9P=p4=I>>t8G?>D7}MLKD}WG>K^GdIgV+Q zJPf(L-M!S^lrg|8W9W5v4r)1-lW3sue5<#pti(yJkR`InNnA_Q?Y`34%C5RKeO%U{ zU0PwF2E)KZBIvAJ1{1mGLl$nRtjPfq=LQsXvLh@|403*W;cz zmo!~n&MH+gQy91`nybS~DP+gm?I9cRP(ef5afuiIt{m;0f`cD#u73Fyzq@$%(amS} zt^7>d5yA_%xodyY_V?E(H!iP#fBSkC{Cs(Ea{TcrIyyZT-nZU9zyIOVr_X=s>kl3; Jp1jH*{s#&5l}Z2r literal 0 HcmV?d00001 diff --git a/secrets/wireguard/ward-local-vms/keys/ward-hi.pub b/secrets/wireguard/ward-local-vms/keys/ward-hi.pub new file mode 100644 index 0000000..9f3941a --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-hi.pub @@ -0,0 +1 @@ +vTtaQGwBCg3t7JVaKg8U1k1Lv41XMdDhiTc4K7mi9Ss= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age new file mode 100644 index 0000000..7dcb589 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward+ward-hi.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 +rh+OOkCRYCr2yQyj3XaxJZiZeoeyyPDHXUiQ3SMqAQ +rs6MQlD8/ccPU/HtdWuOIeX1RWsihBlxZ0MuustxxsQ +-> piv-p256 xqSe8Q AwxXPO3A1XMHGKE8HMtwnXJ8pgyjp2uS/q/GKmCkf+BR +/54hKpxBptCRfFUt5OdhTyjInf3556nC5vBy43uSgNU +-> I-grease "w0 ./zzhbg ,4iOy/r3 +3ojmDBEzftsdy7oMF8zYU/7Yc92xQku7QIJkXDtO7LgGZGjsng0B+ZiwbRJGxWiL +AZioiI0KllFnam8rMtHk9w +--- VFUOXs7a5xhlh0wlOVe04hgpB/FCSPhAblqmeuLftac +x;/YⰿO)6K!džw@aLt`r$*oe{ \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age b/secrets/wireguard/ward-local-vms/psks/ward-hi+ward-test.age new file mode 100644 index 0000000000000000000000000000000000000000..0acc4406cee145c9f51825070e73886e1949598f GIT binary patch literal 452 zcmXBNO^cLZ007|VC_zw%y@f1Mux5UZ?`VgGamLk|(b1X7O@$yw9mgFH*o@Ydy zFUsO3fk{n@4yDT`P+@Q4l5MEgZ+uuP&x47ze1&=pogU(>V+$0!yg z2PUd+aU3$@4z=tOGr+C?4KOZA$npTM^JyrI@eb{nYFIIXRmzlr6x3_m-h6@TP0R3+ z#Gyd99ToKZwM$?@&m0)-)l@RN2jP%iXt6c4flN0+N~<%uEk%^f@JP4+Ul(@t1oAN% zq0n20_#EIqkj1bp0-RlJyWtgtF?v&^Ge-u_N@J@rq?QB6Hwi1dHfBL2i1A!oRf&=r zJ*^DX#;Zq3KFWrTg7!>|BuU&+NBgbf(5O`b4!s0g$~0#yCaxvgmQ}%CGtFM73i!Cp zu-|9iUOfDM{Z;>BLX3`m^=<)~~1T>7$d|FQ0w;3pp5{1poj5 literal 0 HcmV?d00001