sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: ensure vms come online after deployment even with missing wireguard keys

Browse source
This commit is contained in:
oddlama 2023-05-21 23:26:51 +02:00
parent f3ed1248af
commit bd8a14deb0
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 50 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

65
modules/microvms.nix
View file

@ -171,35 +171,46 @@
extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;
systemd.network.networks."10-${vmCfg.networking.mainLinkName}" =
{
manual = {};
dhcp = {
matchConfig.Name = vmCfg.networking.mainLinkName;
DHCP = "yes";
networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
systemd.network.networks = let
wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName;
in {
# Remove requirement for the wireguard interface to come online,
# to allow microvms to be deployed more easily (otherwise they
# would not come online if the private key wasn't rekeyed yet).
# FIXME ideally this would be conditional at runtime if the
# agenix activation had an error, but this is not trivial.
${wgConfig}.linkConfig.RequiredForOnline = "no";
"10-${vmCfg.networking.mainLinkName}" =
{
manual = {};
dhcp = {
matchConfig.Name = vmCfg.networking.mainLinkName;
DHCP = "yes";
networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
linkConfig.RequiredForOnline = "routable";
};
static = {
matchConfig.Name = vmCfg.networking.mainLinkName;
address = [
"${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}"
"${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}"
];
gateway = [
cfg.networking.host
];
networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
static = {
matchConfig.Name = vmCfg.networking.mainLinkName;
address = [
"${vmCfg.networking.static.ipv4}/${toString (net.cidr.length cfg.networking.static.baseCidrv4)}"
"${vmCfg.networking.static.ipv6}/${toString (net.cidr.length cfg.networking.static.baseCidrv6)}"
];
gateway = [
cfg.networking.host
];
networkConfig = {
IPv6PrivacyExtensions = "yes";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
linkConfig.RequiredForOnline = "routable";
};
}
.${vmCfg.networking.mode};
}
.${vmCfg.networking.mode};
};
# TODO change once microvms are compatible with stage-1 systemd
boot.initrd.systemd.enable = mkForce false;

14
modules/wireguard.nix
View file

@ -155,7 +155,7 @@
};
};
systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = {
systemd.network.netdevs."${wgCfg.unitConfName}" = {
netdevConfig = {
Kind = "wireguard";
Name = wgCfg.linkName;
@ -227,7 +227,7 @@
];
};
systemd.network.networks."${toString wgCfg.priority}-${wgName}" = {
systemd.network.networks."${wgCfg.unitConfName}" = {
matchConfig.Name = wgCfg.linkName;
address = map toNetworkAddr wgCfg.addresses;
};
@ -327,6 +327,16 @@ in {
description = mdDoc "The name for the created network interface.";
};
unitConfName = mkOption {
default = "${toString config.priority}-${config.linkName}";
readOnly = true;
type = types.str;
description = mdDoc ''
The name used for unit configuration files. This is a read-only option.
Access this if you want to add additional settings to the generated systemd units.
'';
};
ipv4 = mkOption {
type = net.types.ipv4;
description = mdDoc "The ipv4 address for this machine.";