sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: use configurable link name in containers

Browse source
This commit is contained in:
oddlama 2023-12-19 17:57:09 +01:00
parent eafe3b673c
commit c94084496a
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 38 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

3
hosts/ward/kea.nix
View file

@ -1,7 +1,6 @@
{ {
lib, lib,
utils, utils,
nodes,
... ...
}: let }: let
inherit (lib) net; inherit (lib) net;
@ -22,7 +21,7 @@ in {
renew-timer = 1000; renew-timer = 1000;
rebind-timer = 2000; rebind-timer = 2000;
interfaces-config = { interfaces-config = {
# XXX: why does this bind other macvtaps? # XXX: BUG: why does this bind other macvtaps?
interfaces = ["lan-self"]; interfaces = ["lan-self"];
service-sockets-max-retries = -1; service-sockets-max-retries = -1;
}; };

2
hosts/ward/secrets/influxdb/host.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoiozZHb2lXv9sZGXDeL2hdYYVPTMVrxdUl/lRro4zh ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOanBR6abVoPfpH9RyhxaJ1dg0/+VFAUyCfQzFqxGBzk

24
modules/guests/common-guest-config.nix
View file

@ -10,20 +10,18 @@ in {
gc.automatic = mkForce false; gc.automatic = mkForce false;
}; };
systemd.network.networks = { systemd.network.networks."10-${guestCfg.networking.mainLinkName}" = {
"10-${guestCfg.networking.mainLinkName}" = { matchConfig.Name = guestCfg.networking.mainLinkName;
matchConfig.Name = guestCfg.networking.mainLinkName; DHCP = "yes";
DHCP = "yes"; dhcpV4Config.UseDNS = false;
dhcpV4Config.UseDNS = false; dhcpV6Config.UseDNS = false;
dhcpV6Config.UseDNS = false; ipv6AcceptRAConfig.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false; networkConfig = {
networkConfig = { IPv6PrivacyExtensions = "yes";
IPv6PrivacyExtensions = "yes"; MulticastDNS = true;
MulticastDNS = true; IPv6AcceptRA = true;
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
}; };
linkConfig.RequiredForOnline = "routable";
}; };
networking.nftables.firewall = { networking.nftables.firewall = {

13
modules/guests/container.nix
View file

@ -12,15 +12,12 @@ guestName: guestCfg: {
flip flip
mapAttrs' mapAttrs'
nameValuePair nameValuePair
substring
; ;
initialLinkName = "mv-${(substring 0 12 (builtins.hashString "sha256" guestName))}";
in { in {
ephemeral = true; ephemeral = true;
privateNetwork = true; privateNetwork = true;
autoStart = guestCfg.autostart; autoStart = guestCfg.autostart;
macvlans = ["${guestCfg.container.macvlan}:${initialLinkName}"]; macvlans = ["${guestCfg.container.macvlan}:${guestCfg.networking.mainLinkName}"];
extraFlags = [ extraFlags = [
"--uuid=${builtins.substring 0 32 (builtins.hashString "sha256" guestName)}" "--uuid=${builtins.substring 0 32 (builtins.hashString "sha256" guestName)}"
]; ];
@ -63,14 +60,6 @@ in {
device = zfsCfg.guestMountpoint; device = zfsCfg.guestMountpoint;
options = ["bind"]; options = ["bind"];
}); });
# Rename the network interface to our liking
systemd.network.links = {
"01-${guestCfg.networking.mainLinkName}" = {
matchConfig.Name = initialLinkName;
linkConfig.Name = guestCfg.networking.mainLinkName;
};
};
} }
(import ./common-guest-config.nix guestName guestCfg) (import ./common-guest-config.nix guestName guestCfg)
] ]

49
modules/guests/default.nix
View file

@ -31,6 +31,12 @@
lib.genAttrs backends (_: {}) lib.genAttrs backends (_: {})
// mapAttrs (_: listToAttrs) (groupBy (x: x.value.backend) (attrsToList config.guests)); // mapAttrs (_: listToAttrs) (groupBy (x: x.value.backend) (attrsToList config.guests));
# List the necessary mount units for the given guest
fsMountUnitsFor = guestCfg:
map
(x: "${utils.escapeSystemdPath x.hostMountpoint}.mount")
(attrValues guestCfg.zfs);
# Configuration required on the host for a specific guest # Configuration required on the host for a specific guest
defineGuest = _guestName: guestCfg: { defineGuest = _guestName: guestCfg: {
# Add the required datasets to the disko configuration of the machine # Add the required datasets to the disko configuration of the machine
@ -43,7 +49,6 @@
systemd.services = mkMerge (flip map (attrValues guestCfg.zfs) (zfsCfg: let systemd.services = mkMerge (flip map (attrValues guestCfg.zfs) (zfsCfg: let
fsMountUnit = "${utils.escapeSystemdPath zfsCfg.hostMountpoint}.mount"; fsMountUnit = "${utils.escapeSystemdPath zfsCfg.hostMountpoint}.mount";
in { in {
# Ensure that the zfs dataset exists before it is mounted.
"zfs-ensure-${utils.escapeSystemdPath zfsCfg.hostMountpoint}" = { "zfs-ensure-${utils.escapeSystemdPath zfsCfg.hostMountpoint}" = {
wantedBy = [fsMountUnit]; wantedBy = [fsMountUnit];
before = [fsMountUnit]; before = [fsMountUnit];
@ -68,14 +73,9 @@
defineMicrovm = guestName: guestCfg: { defineMicrovm = guestName: guestCfg: {
# Ensure that the zfs dataset exists before it is mounted. # Ensure that the zfs dataset exists before it is mounted.
systemd.services."microvm@${guestName}" = let systemd.services."microvm@${guestName}" = {
fsMountUnits = requires = fsMountUnitsFor guestCfg;
map after = fsMountUnitsFor guestCfg;
(x: "${utils.escapeSystemdPath x.hostMountpoint}.mount")
(attrValues guestCfg.zfs);
in {
requires = fsMountUnits;
after = fsMountUnits;
}; };
microvm.vms.${guestName} = import ./microvm.nix guestName guestCfg attrs; microvm.vms.${guestName} = import ./microvm.nix guestName guestCfg attrs;
@ -83,19 +83,15 @@
defineContainer = guestName: guestCfg: { defineContainer = guestName: guestCfg: {
# Ensure that the zfs dataset exists before it is mounted. # Ensure that the zfs dataset exists before it is mounted.
systemd.services."container@${guestName}" = let systemd.services."container@${guestName}" = {
fsMountUnits = requires = fsMountUnitsFor guestCfg;
map after = fsMountUnitsFor guestCfg;
(x: "${utils.escapeSystemdPath x.hostMountpoint}.mount")
(attrValues guestCfg.zfs);
in {
requires = fsMountUnits;
after = fsMountUnits;
# Don't use the notify service type. Using exec will always consider containers # Don't use the notify service type. Using exec will always consider containers
# started immediately and donesn't wait until the container is fully booted. # started immediately and donesn't wait until the container is fully booted.
# Containers should behave like independent machines, and issues inside the container # Containers should behave like independent machines, and issues inside the container
# will unnecessarily lock up the service on the host otherwise. # will unnecessarily lock up the service on the host otherwise.
# This causes issues on system activation. # This causes issues on system activation or when containers take longer to start
# than TimeoutStartSec.
serviceConfig.Type = lib.mkForce "exec"; serviceConfig.Type = lib.mkForce "exec";
}; };
@ -162,7 +158,7 @@ in {
macvtapInterface = mkOption { macvtapInterface = mkOption {
type = types.str; type = types.str;
description = "The host macvtap interface to which the microvm should be attached"; description = "The host interface to which the microvm should be attached via macvtap";
}; };
}; };
@ -174,12 +170,15 @@ in {
}; };
}; };
networking = { networking.mainLinkName = mkOption {
mainLinkName = mkOption { type = types.str;
type = types.str; description = "The main ethernet link name inside of the guest. For containers, this cannot be named similar to an existing interface on the host.";
default = "wan"; default =
description = "The main ethernet link name inside of the VM"; if submod.config.backend == "microvm"
}; then submod.config.microvm.macvtapInterface
else if submod.config.backend == "container"
then "mv-${submod.config.container.macvlan}"
else throw "Invalid backend";
}; };
zfs = mkOption { zfs = mkOption {