feat[server]: add home proxy

2026-04-15 05:39:11 +02:00 · 2026-01-04 17:45:53 +01:00 · 2026-01-04 17:45:53 +01:00 · c1c7431891
commit c1c7431891
parent 75891c3103
84 changed files with 2961 additions and 1601 deletions
--- a/modules/nixos/optional/microvm-guest.nix
+++ b/modules/nixos/optional/microvm-guest.nix
@ -1,11 +1,10 @@
-{ self, inputs, ... }:
+{ self, lib, config, inputs, microVMParent, nodes, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
    inputs.home-manager.nixosModules.home-manager
    inputs.impermanence.nixosModules.impermanence
    inputs.lanzaboote.nixosModules.lanzaboote
-    inputs.microvm.nixosModules.host
    inputs.microvm.nixosModules.microvm
    inputs.nix-index-database.nixosModules.nix-index
    inputs.nix-minecraft.nixosModules.minecraft-servers
@ -23,6 +22,51 @@
  ];

  config = {
-    system.stateVersion = "23.05";
+    _module.args.dns = inputs.dns;
+
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+    # NOTE: this is needed, we dont import sevrer network module for microvms
+    globals.hosts.${config.node.name}.isHome = true;
+
+    fileSystems."/persist".neededForBoot = lib.mkForce true;
+
+    systemd.network.networks."10-vlan-services" = {
+      dhcpV6Config = {
+        WithoutRA = "solicit";
+        # duid-en is nice in principle, but I already have MAC info anyways for reservations
+        DUIDType = "link-layer";
+      };
+      # networkConfig = {
+      #   IPv6PrivacyExtensions = "no";
+      #   IPv6AcceptRA = false;
+      # };
+      ipv6AcceptRAConfig = {
+        DHCPv6Client = "always";
+      };
+    };
+
+    microvm = {
+      shares = [
+        {
+          tag = "persist";
+          source = "${lib.optionalString nodes.${microVMParent}.config.swarselsystems.isImpermanence "/persist"}/microvms/${config.networking.hostName}";
+          mountPoint = "/persist";
+          proto = "virtiofs";
+        }
+      ];
+      # mount the writeable overlay so that we can use nix shells inside the microvm
+      volumes = [
+        {
+          image = "/tmp/nix-store-overlay-${config.networking.hostName}.img";
+          autoCreate = true;
+          mountPoint = config.microvm.writableStoreOverlay;
+          size = 1024;
+        }
+      ];
+    };
  };
 }
--- a/modules/nixos/optional/microvm-host.nix
+++ b/modules/nixos/optional/microvm-host.nix
@ -1,13 +1,21 @@
 { config, lib, ... }:
 {
-  # imports = [
-  # inputs.microvm.nixosModules.host
-  # ];
-
  config = lib.mkIf (config.guests != { }) {

-    microvm = {
-      hypervisor = lib.mkDefault "qemu";
-    };
+    systemd.tmpfiles.settings."15-microvms" = builtins.listToAttrs (
+      map
+        (path: {
+          name = "${lib.optionalString config.swarselsystems.isImpermanence "/persist"}/microvms/${path}";
+          value = {
+            d = {
+              group = "kvm";
+              user = "microvm";
+              mode = "0750";
+            };
+          };
+        })
+        (builtins.attrNames config.guests)
+    );
+
  };
 }
--- a/modules/nixos/optional/nix-topology-self.nix
+++ b/modules/nixos/optional/nix-topology-self.nix
@ -1,13 +1,25 @@
-{ lib, config, globals, ... }:
+{ lib, config, globals, confLib, ... }:
+let
+  inherit (confLib.static) webProxy;
+in
 {
  topology.self = {
    icon = lib.mkIf config.swarselsystems.isCloud "devices.cloud-server";
-    interfaces.wan = lib.mkIf config.swarselsystems.isCloud { };
-    interfaces.wg = lib.mkIf (config.swarselsystems.server.wireguard.isClient || config.swarselsystems.server.wireguard.isServer) {
-      addresses = [ globals.networks.twothreetunnel-wg.hosts.${config.node.name}.ipv4 ];
-      renderer.hidePhysicalConnections = true;
-      virtual = true;
-      type = "wireguard";
+    interfaces = {
+      wan = lib.mkIf (config.swarselsystems.isCloud && config.swarselsystems.server.localNetwork == "wan") { };
+      lan = lib.mkIf (config.swarselsystems.isCloud && config.swarselsystems.server.localNetwork == "lan") { };
+      wgProxy = lib.mkIf (config.swarselsystems.server.wireguard ? wgHome) {
+        addresses = [ globals.networks."${webProxy}-wg.hosts".${config.node.name}.ipv4 ];
+        renderer.hidePhysicalConnections = true;
+        virtual = true;
+        type = "wireguard";
+      };
+      wgHome = lib.mkIf (config.swarselsystems.server.wireguard ? wgHome) {
+        addresses = [ globals.networks.home-wgHome.hosts.${config.node.name}.ipv4 ];
+        renderer.hidePhysicalConnections = true;
+        virtual = true;
+        type = "wireguard";
+      };
    };
  };
 }
--- a/modules/nixos/optional/systemd-networkd-base.nix
+++ b/modules/nixos/optional/systemd-networkd-base.nix
@ -3,10 +3,10 @@
  networking = {
    useDHCP = lib.mkForce false;
    useNetworkd = true;
-    dhcpcd.enable = false;
-    renameInterfacesByMac = lib.mapAttrs (_: v: if (v ? mac) then v.mac else "") (
+    dhcpcd.enable = lib.mkIf (!config.swarselsystems.isMicroVM) false;
+    renameInterfacesByMac = lib.mkIf (!config.swarselsystems.isMicroVM) (lib.mapAttrs (_: v: if (v ? mac) then v.mac else "") (
      config.repo.secrets.local.networking.networks or { }
-    );
+    ));
  };

  systemd.network.enable = true;