common/incus: make bridge trusted, add user as admin

2024-05-26 18:36:35 +02:00 · 2024-05-26 18:36:35 +02:00 · ab99281d76
commit ab99281d76
parent 32d458c26e
3 changed files with 35 additions and 28 deletions
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@ -30,7 +30,6 @@
        hostName = "legion";
        hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
        networkmanager.enable = true;
-        nftables.enable = true;
      };
      systemd.services.NetworkManager-wait-online.enable = false;

--- a/hosts/ude/default.nix
+++ b/hosts/ude/default.nix
@ -19,7 +19,6 @@
        loader.systemd-boot.configurationLimit = 1;
        loader.efi.canTouchEfiVariables = true;
      };
-      networking.nftables.enable = true;

      common.hercules.enable = true;
      services.hercules-ci-agent.settings.concurrentTasks = 6;
--- a/modules/system/common/incus.nix
+++ b/modules/system/common/incus.nix
@ -3,6 +3,7 @@
  lib,
  config,
  pkgs,
+  username,
  ...
 }:
 let
@ -14,33 +15,41 @@ let
    environment.systemPackages = [ cfg.clientPackage ];
  };

-  linuxConfig = lib.optionalAttrs isLinux {
-    virtualisation.incus = lib.mkIf (!cfg.clientOnly) {
-      enable = true;
-      inherit (cfg) package clientPackage;
-      preseed = {
-        networks = [
-          {
-            name = "incusbr0";
-            type = "bridge";
-            config = {
-              "ipv4.address" = "10.0.100.1/24";
-              "ipv4.nat" = "true";
-            };
-          }
-        ];
-        storage_pools = [
-          {
-            name = "default";
-            driver = "dir";
-            config = {
-              source = "/var/lib/incus/storage-pools/default";
-            };
-          }
-        ];
+  linuxConfig = lib.optionalAttrs isLinux (
+    lib.mkIf (!cfg.clientOnly) {
+      virtualisation.incus = {
+        enable = true;
+        inherit (cfg) package clientPackage;
+        preseed = {
+          # TODO: Default profile with storage pool
+          networks = [
+            {
+              name = "incusbr0";
+              type = "bridge";
+              config = {
+                "ipv4.address" = "10.0.100.1/24";
+                "ipv4.nat" = "true";
+              };
+            }
+          ];
+          storage_pools = [
+            {
+              name = "default";
+              driver = "dir";
+              config = {
+                source = "/var/lib/incus/storage-pools/default";
+              };
+            }
+          ];
+        };
      };
-    };
-  };
+      networking = {
+        nftables.enable = true;
+        firewall.trustedInterfaces = [ "incusbr0" ];
+      };
+      users.users.${username}.extraGroups = [ "incus-admin" ];
+    }
+  );

  darwinConfig = lib.optionalAttrs (!isLinux) {
    assertions = [