From 09ff20b5fa10cead4641cc5e1b25a7f68d8973d7 Mon Sep 17 00:00:00 2001 From: Nick Date: Sat, 8 Nov 2025 01:36:52 -0600 Subject: [PATCH] test: vaultwarden microVM --- systems/ceres/config/networking.nix | 74 +++++++++++--------------- systems/ceres/microvms/vaultwarden.nix | 44 ++++++++------- 2 files changed, 56 insertions(+), 62 deletions(-) diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix index bbbb356..53742a5 100755 --- a/systems/ceres/config/networking.nix +++ b/systems/ceres/config/networking.nix @@ -12,40 +12,38 @@ in # Enable microVM host microvm.host.enable = true; - # # systemd-networkd for bridge management - # # NOTE: Not needed for macvtap - only enable if using TAP interfaces - # # TAP requires a bridge on the host, macvtap connects directly to physical interface - # systemd.network.enable = true; + # systemd-networkd for bridge management (required for TAP interfaces) + systemd.network.enable = true; - # # Bridge configuration for microVMs (only needed for TAP interfaces) - # systemd.network.netdevs."10-br-vms" = { - # netdevConfig = { - # Name = "br-vms"; - # Kind = "bridge"; - # }; - # }; + # Bridge configuration for microVMs + systemd.network.netdevs."10-br-vms" = { + netdevConfig = { + Name = "br-vms"; + Kind = "bridge"; + }; + }; - # # Attach physical interface and tap interfaces to bridge - # systemd.network.networks."20-lan" = { - # matchConfig.Name = [ - # "enp10s0" - # "vm-*" - # ]; - # networkConfig = { - # Bridge = "br-vms"; - # }; - # }; + # Attach physical interface and tap interfaces to bridge + systemd.network.networks."20-lan" = { + matchConfig.Name = [ + "enp10s0" + "vm-*" + ]; + networkConfig = { + Bridge = "br-vms"; + }; + }; - # # Bridge gets the host IP - # systemd.network.networks."30-br-vms" = { - # matchConfig.Name = "br-vms"; - # networkConfig = { - # Address = "192.168.50.240/24"; - # Gateway = "192.168.50.1"; - # DNS = [ "192.168.50.1" ]; - # }; - # linkConfig.RequiredForOnline = "routable"; - # }; + # Bridge gets the host IP + systemd.network.networks."30-br-vms" = { + matchConfig.Name = "br-vms"; + networkConfig = { + Address = "192.168.50.240/24"; + Gateway = "192.168.50.1"; + DNS = [ "192.168.50.1" ]; + }; + linkConfig.RequiredForOnline = "routable"; + }; networking = { hostName = ceres.name; @@ -53,19 +51,7 @@ in networkmanager.enable = false; nftables.enable = true; useDHCP = false; - - # Declarative interface configuration for the host - interfaces.enp10s0 = { - useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.50.240"; - prefixLength = 24; - } - ]; - }; - defaultGateway = "192.168.50.1"; - nameservers = [ "192.168.50.1" ]; + # Network configuration handled by systemd-networkd bridge firewall = { enable = true; diff --git a/systems/ceres/microvms/vaultwarden.nix b/systems/ceres/microvms/vaultwarden.nix index 253b452..9557c00 100755 --- a/systems/ceres/microvms/vaultwarden.nix +++ b/systems/ceres/microvms/vaultwarden.nix @@ -77,16 +77,18 @@ in systemd.network = { enable = true; networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = [ "${vaultwardenCfg.interface.ip}/24" ]; - Gateway = vaultwardenCfg.interface.gate; - DNS = [ - "1.1.1.1" - "8.8.8.8" - ]; - DHCP = "no"; - }; + matchConfig.Name = "enp0s5"; + addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = vaultwardenCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; }; }; @@ -98,18 +100,24 @@ in mem = 1024; hypervisor = "qemu"; - # Use q35 machine type for proper PCI support instead of microvm - qemu.machine = "q35"; - interfaces = [ { - type = "macvtap"; + type = "tap"; id = vaultwardenCfg.interface.id; mac = vaultwardenCfg.interface.mac; - macvtap = { - link = "enp10s0"; - mode = "bridge"; - }; + } + { + type = "user"; + id = vaultwardenCfg.interface.idUser; + mac = vaultwardenCfg.interface.macUser; + } + ]; + + forwardPorts = [ + { + from = "host"; + host.port = vaultwardenCfg.interface.ssh; + guest.port = 22; } ];