sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add static microvm networking; allow cidrv4 and cidrv6 to be

Browse source 
specified explicitly on wireguard networks to allow for
  simple access by other modules.
This commit is contained in:
oddlama 2023-05-20 00:55:48 +02:00
parent 78cdcd3c69
commit 6d8f8ab2e3
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 168 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

58
hosts/ward/default.nix
View file

@ -28,7 +28,6 @@
extra.microvms = { extra.microvms = {
vms.test = { vms.test = {
id = 11; id = 11;
host = "test.local";
system = "x86_64-linux"; system = "x86_64-linux";
autostart = true; autostart = true;
zfs = { zfs = {
@ -39,61 +38,4 @@
}; };
}; };
}; };
#services.authelia.instances.main = {
# enable = true;
# settings = {
# theme = "dark";
# log = {
# level = "info";
# format = "text";
# };
# server = {
# host = "127.0.0.1";
# port = 9091;
# };
# session = {
# name = "session";
# domain = "pas.sh";
# };
# authentication_backend.ldap = {
# implementation = "custom";
# url = "ldap://127.0.0.1:3890";
# base_dn = "dc=pas,dc=sh";
# username_attribute = "uid";
# additional_users_dn = "ou=people";
# users_filter = "(&({username_attribute}={input})(objectclass=person))";
# additional_groups_dn = "ou=groups";
# groups_filter = "(member={dn})";
# group_name_attribute = "cn";
# mail_attribute = "mail";
# display_name_attribute = "uid";
# user = "uid=authelia,ou=people,dc=pas,dc=sh";
# };
# storage.local = {
# path = "/var/lib/authelia-${cfg.name}/db.sqlite3";
# };
# access_control = {
# default_policy = "deny";
# };
# notifier.smtp = rec {
# host = "smtp.fastmail.com";
# port = 587;
# username = "a@example.com";
# sender = "noreply@example.com";
# startup_check_address = sender;
# disable_html_emails = true;
# };
# identity_providers.oidc = {
# cors.allowed_origins_from_client_redirect_uris = true;
# cors.endpoints = [
# "authorization"
# "introspection"
# "revocation"
# "token"
# "userinfo"
# ];
# };
# };
#};
} }

24
hosts/ward/net.nix
View file

@ -6,8 +6,8 @@
}: let }: let
inherit (config.lib.net) ip cidr; inherit (config.lib.net) ip cidr;
net.lan.ipv4cidr = "192.168.100.1/24"; lanCidrv4 = "192.168.100.0/24";
net.lan.ipv6cidr = "fd00::1/64"; lanCidrv6 = "fd00::/64";
in { in {
networking.hostId = nodeSecrets.networking.hostId; networking.hostId = nodeSecrets.networking.hostId;
@ -55,7 +55,10 @@ in {
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
"20-lan-self" = { "20-lan-self" = {
address = [net.lan.ipv4cidr net.lan.ipv6cidr]; address = [
(cidr.hostCidr 1 lanCidrv4)
(cidr.hostCidr 1 lanCidrv6)
];
matchConfig.Name = "lan-self"; matchConfig.Name = "lan-self";
networkConfig = { networkConfig = {
IPForward = "yes"; IPForward = "yes";
@ -64,7 +67,7 @@ in {
}; };
# Announce a static prefix # Announce a static prefix
ipv6Prefixes = [ ipv6Prefixes = [
{ipv6PrefixConfig.Prefix = cidr.canonicalize net.lan.ipv6cidr;} {ipv6PrefixConfig.Prefix = lanCidrv6;}
]; ];
# Delegate prefix from wan # Delegate prefix from wan
#dhcpPrefixDelegationConfig = { #dhcpPrefixDelegationConfig = {
@ -76,7 +79,7 @@ in {
ipv6SendRAConfig = { ipv6SendRAConfig = {
EmitDNS = true; EmitDNS = true;
# TODO change to self later # TODO change to self later
#DNS = cidr.ip net.lan.ipv6cidr; #DNS = cidr.host 1 net.lan.ipv6cidr;
DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"]; DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"];
}; };
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -160,14 +163,14 @@ in {
subnet4 = [ subnet4 = [
{ {
interface = "lan-self"; interface = "lan-self";
subnet = cidr.canonicalize net.lan.ipv4cidr; subnet = lanCidrv4;
pools = [ pools = [
{pool = "${cidr.host 20 net.lan.ipv4cidr} - ${cidr.host (-6) net.lan.ipv4cidr}";} {pool = "${cidr.host 20 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";}
]; ];
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = cidr.ip net.lan.ipv4cidr; data = cidr.host 1 lanCidrv4;
} }
]; ];
} }
@ -180,7 +183,10 @@ in {
extra.microvms.networking = { extra.microvms.networking = {
baseMac = nodeSecrets.networking.interfaces.lan.mac; baseMac = nodeSecrets.networking.interfaces.lan.mac;
host = cidr.ip net.lan.ipv4cidr;
macvtapInterface = "lan"; macvtapInterface = "lan";
static = {
baseCidrv4 = lanCidrv4;
baseCidrv6 = lanCidrv6;
};
}; };
} }

183
modules/microvms.nix
View file

@ -32,6 +32,7 @@
cfg = config.extra.microvms; cfg = config.extra.microvms;
inherit (config.extra.microvms) vms; inherit (config.extra.microvms) vms;
inherit (config.lib) net;
# Configuration for each microvm # Configuration for each microvm
microvmConfig = vmName: vmCfg: { microvmConfig = vmName: vmCfg: {
@ -63,7 +64,7 @@
inherit (vmCfg) system; inherit (vmCfg) system;
config = nodePath + "/microvms/${vmName}"; config = nodePath + "/microvms/${vmName}";
}; };
mac = config.lib.net.mac.addPrivate vmCfg.id cfg.networking.baseMac; mac = net.mac.addPrivate vmCfg.id cfg.networking.baseMac;
in { in {
# Allow children microvms to know which node is their parent # Allow children microvms to know which node is their parent
specialArgs = specialArgs =
@ -87,7 +88,7 @@
id = "vm-${vmName}"; id = "vm-${vmName}";
inherit mac; inherit mac;
macvtap = { macvtap = {
link = cfg.macvtapInterface; link = cfg.networking.macvtapInterface;
mode = "bridge"; mode = "bridge";
}; };
} }
@ -124,19 +125,37 @@
gc.automatic = mkForce false; gc.automatic = mkForce false;
}; };
extra.networking.renameInterfacesByMac.${vmCfg.linkName} = mac; extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;
systemd.network.networks = { systemd.network.networks."10-${vmCfg.networking.mainLinkName}" =
"10-${vmCfg.linkName}" = { {
matchConfig.Name = vmCfg.linkName; manual = {};
DHCP = "yes"; dhcp = {
networkConfig = { matchConfig.Name = vmCfg.networking.mainLinkName;
IPv6PrivacyExtensions = "yes"; DHCP = "yes";
IPv6AcceptRA = true; networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
}; };
linkConfig.RequiredForOnline = "routable"; static = {
}; matchConfig.Name = vmCfg.networking.mainLinkName;
}; address = [
vmCfg.networking.static.ipv4
vmCfg.networking.static.ipv6
];
gateway = [
cfg.networking.host
];
networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
}
.${vmCfg.networking.mode};
# TODO change once microvms are compatible with stage-1 systemd # TODO change once microvms are compatible with stage-1 systemd
boot.initrd.systemd.enable = mkForce false; boot.initrd.systemd.enable = mkForce false;
@ -144,13 +163,13 @@
# Create a firewall zone for the bridged traffic and secure vm traffic # Create a firewall zone for the bridged traffic and secure vm traffic
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones = lib.mkForce {
"${vmCfg.linkName}".interfaces = [vmCfg.linkName]; "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName];
"local-vms".interfaces = ["wg-local-vms"]; "local-vms".interfaces = ["wg-local-vms"];
}; };
rules = lib.mkForce { rules = lib.mkForce {
"${vmCfg.linkName}-to-local" = { "${vmCfg.networking.mainLinkName}-to-local" = {
from = [vmCfg.linkName]; from = [vmCfg.networking.mainLinkName];
to = ["local"]; to = ["local"];
}; };
@ -161,24 +180,21 @@
}; };
}; };
extra.wireguard."local-vms" = { extra.wireguard."${nodeName}-local-vms" = {
# We have a resolvable hostname / static ip, so all peers can directly communicate with us # We have a resolvable hostname / static ip, so all peers can directly communicate with us
server = optionalAttrs (cfg.networking.host != null) { server = optionalAttrs (cfg.networking.host != null) {
inherit (vmCfg) host; inherit (vmCfg.networking) host;
port = 51829; port = 51829;
openFirewallInRules = ["${vmCfg.linkName}-to-local"]; openFirewallInRules = ["${vmCfg.networking.mainLinkName}-to-local"];
}; };
# We have no static hostname, so we must use a client-server architecture. # If We don't have such guarantees, so we must use a client-server architecture.
client = optionalAttrs (cfg.networking.host == null) { client = optionalAttrs (cfg.networking.host == null) {
via = nodeName; via = nodeName;
keepalive = false; keepalive = false;
}; };
cidrv4 = "${net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4}/32";
cidrv6 = "${net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv6}/128";
# TODO check error: addresses = ["10.22.22.2/30"]; # TODO check error: addresses = ["10.22.22.2/30"];
# TODO switch wg module to explicit v4 and v6
addresses = [
"${config.lib.net.cidr.host vmCfg.id cfg.networking.wireguard.netv4}/32"
"${config.lib.net.cidr.host vmCfg.id cfg.networking.wireguard.netv6}/128"
];
}; };
}; };
}; };
@ -194,18 +210,38 @@ in {
options.extra.microvms = { options.extra.microvms = {
networking = { networking = {
baseMac = mkOption { baseMac = mkOption {
type = config.lib.net.types.mac; type = net.types.mac;
description = mdDoc '' description = mdDoc ''
This MAC address will be used as a base address to derive all MicroVM MAC addresses from. This MAC address will be used as a base address to derive all MicroVM MAC addresses from.
A good practise is to use the physical address of the macvtap interface. A good practise is to use the physical address of the macvtap interface.
''; '';
}; };
static = {
baseCidrv4 = mkOption {
type = net.types.cidrv4;
description = mdDoc ''
If a MicroVM is using static networking, and it hasn't defined a specific
address to use, its ipv4 address will be derived from this base address and its `id`.
'';
};
baseCidrv6 = mkOption {
type = net.types.cidrv6;
description = mdDoc ''
If a MicroVM is using static networking, and it hasn't defined a specific
address to use, its ipv6 address will be derived from this base address and its `id`.
'';
};
};
host = mkOption { host = mkOption {
type = types.str; type = types.str;
default = net.cidr.host 1 cfg.networking.static.baseCidrv4;
description = mdDoc '' description = mdDoc ''
The host as which this machine can be reached from other participants of the bridged macvtap network. The ip or resolveable hostname under which this machine can be reached from other
This can either be a resolvable hostname or an IP address. participants of the bridged macvtap network. Defaults to the first host
in the given static base ipv4 address range.
''; '';
}; };
@ -215,25 +251,24 @@ in {
}; };
wireguard = { wireguard = {
netv4 = mkOption { cidrv4 = mkOption {
type = config.lib.net.types.cidrv4; type = net.types.cidrv4;
description = mdDoc "The ipv4 network address range to use for internal vm traffic."; description = mdDoc "The ipv4 network address range to use for internal vm traffic.";
default = "172.31.0.0/24"; default = "172.31.0.0/24";
}; };
netv6 = mkOption { cidrv6 = mkOption {
type = config.lib.net.types.cidrv6; type = net.types.cidrv6;
description = mdDoc "The ipv6 network address range to use for internal vm traffic."; description = mdDoc "The ipv6 network address range to use for internal vm traffic.";
default = "fddd::/64"; default = "fddd::/64";
}; };
}; };
# TODO check plus no overflow
}; };
vms = mkOption { vms = mkOption {
default = {}; default = {};
description = "Defines the actual vms and handles the necessary base setup for them."; description = "Defines the actual vms and handles the necessary base setup for them.";
type = types.attrsOf (types.submodule { type = types.attrsOf (types.submodule ({config, ...}: {
options = { options = {
id = mkOption { id = mkOption {
type = type =
@ -254,6 +289,55 @@ in {
''; '';
}; };
networking = {
mode = mkOption {
type = types.enum ["dhcp" "static" "manual"];
default = "static";
description = "Determines how the main macvtap bridged network interface is configured this MicroVM.";
};
mainLinkName = mkOption {
type = types.str;
default = "wan";
description = mdDoc "The main ethernet link name inside of the VM";
};
static = {
ipv4 = mkOption {
type = net.types.ipv4-in cfg.networking.static.baseCidrv4;
default = net.cidr.host config.id cfg.networking.static.baseCidrv4;
description = mdDoc ''
The static ipv4 for this MicroVM. Only used if mode is static.
Defaults to the id-th host in the configured network range.
'';
};
ipv6 = mkOption {
type = net.types.ipv6-in cfg.networking.static.baseCidrv6;
default = net.cidr.host config.id cfg.networking.static.baseCidrv6;
description = mdDoc ''
The static ipv6 for this MicroVM. Only used if mode is static.
Defaults to the id-th host in the configured network range.
'';
};
};
host = mkOption {
type = types.nullOr types.str;
default =
if config.networking.mode == "static"
then config.networking.static.ipv4
else null;
description = mdDoc ''
The host as which this VM can be reached from other participants of the bridged macvtap network.
If this is null, the wireguard connection will use a client-server architecture with the host as the server.
Otherwise, all clients will communicate directly, meaning the host cannot listen to traffic.
This can either be a resolvable hostname or an IP address. Defaults to the static ipv4 if given, else null.
'';
};
};
zfs = { zfs = {
enable = mkEnableOption (mdDoc "Enable persistent data on separate zfs dataset"); enable = mkEnableOption (mdDoc "Enable persistent data on separate zfs dataset");
@ -279,33 +363,12 @@ in {
description = mdDoc "Whether this VM should be started automatically with the host"; description = mdDoc "Whether this VM should be started automatically with the host";
}; };
# TODO allow configuring static ipv4 and ipv6 instead of dhcp?
# maybe create networking. namespace and have options = dhcpwithRA and static.
linkName = mkOption {
type = types.str;
default = "wan";
description = mdDoc "The main ethernet link name inside of the VM";
};
host = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
The host as which this VM can be reached from other participants of the bridged macvtap network.
If this is unset, the wireguard connection will use a client-server architecture with the host as the server.
Otherwise, all clients will communicate directly, meaning the host cannot listen to traffic.
This can either be a resolvable hostname or an IP address.
'';
};
system = mkOption { system = mkOption {
type = types.str; type = types.str;
description = mdDoc "The system that this microvm should use"; description = mdDoc "The system that this microvm should use";
}; };
}; };
}); }));
}; };
}; };
@ -321,16 +384,14 @@ in {
]; ];
# Define a local wireguard server to communicate with vms securely # Define a local wireguard server to communicate with vms securely
extra.wireguard."local-vms" = { extra.wireguard."${nodeName}-local-vms" = {
server = { server = {
inherit (cfg.networking) host; inherit (cfg.networking) host;
port = 51829; port = 51829;
openFirewallInRules = ["lan-to-local"]; openFirewallInRules = ["lan-to-local"];
}; };
addresses = [ cidrv4 = net.cidr.hostCidr 1 cfg.networking.wireguard.cidrv4;
(config.lib.net.cidr.hostCidr 1 cfg.networking.wireguard.netv4) cidrv6 = net.cidr.hostCidr 1 cfg.networking.wireguard.cidrv6;
(config.lib.net.cidr.hostCidr 1 cfg.networking.wireguard.netv6)
];
}; };
} }
// extraLib.mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms) // extraLib.mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)

34
modules/wireguard.nix
View file

@ -177,7 +177,7 @@
}) })
wgCfg.server.externalPeers wgCfg.server.externalPeers
# All client nodes that have their via set to us. # All client nodes that have their via set to us.
++ mapAttrsToList (clientNode: let ++ map (clientNode: let
clientCfg = wgCfgOf clientNode; clientCfg = wgCfgOf clientNode;
in { in {
wireguardPeerConfig = wireguardPeerConfig =
@ -293,15 +293,43 @@ in {
description = mdDoc "The order priority used when creating systemd netdev and network files."; description = mdDoc "The order priority used when creating systemd netdev and network files.";
}; };
cidrv4 = mkOption {
type =
if config.client.via != null
then net.types.cidrv4-in nodes.${config.client.via}.config.extra.wireguard.${name}.cidrv4
else net.types.cidrv4;
description = mdDoc ''
The ipv4 host address (with cidr mask) to configure for this interface.
The cidr mask determines this peers allowed address range as configured on other peers.
The mask should usually be fully restricted (/32) when no external clients are configured
and no other node uses this as a via.
'';
};
cidrv6 = mkOption {
type =
if config.client.via != null
then net.types.cidrv6-in nodes.${config.client.via}.config.extra.wireguard.${name}.cidrv6
else net.types.cidrv6;
description = mdDoc ''
The ipv6 host address (with cidr mask) to configure for this interface.
The cidr mask determines this peers allowed address range as configured on other peers.
The mask should usually be fully restricted (/128) when no external clients are configured
and no other node uses this as a via.
'';
};
addresses = mkOption { addresses = mkOption {
type = types.listOf ( type = types.listOf (
if config.client.via != null if config.client.via != null
then net.types.cidr-in nodes.${config.client.via}.config.extra.wireguard.${name}.addresses then net.types.cidr-in nodes.${config.client.via}.config.extra.wireguard.${name}.addresses
else net.types.cidr else net.types.cidr
); );
default = [config.cidrv4 config.cidrv6];
description = mdDoc '' description = mdDoc ''
The addresses to configure for this interface. Will automatically be added The addresses (with cidr mask) to configure for this interface.
as this peer's allowed addresses on all other peers. The cidr mask determines this peers allowed address range as configured on other peers.
By default this will just include {option}`cidrv4` and {option}`cidrv6` as configured.
''; '';
}; };
}; };