common/incus: make bridge trusted, add user as admin

2024-05-26 18:36:35 +02:00 · 2024-05-26 18:36:35 +02:00 · ab99281d76
commit ab99281d76
parent 32d458c26e
3 changed files with 35 additions and 28 deletions
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@ -30,7 +30,6 @@
        hostName = "legion";
        hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
        networkmanager.enable = true;
        nftables.enable = true;
      };
      systemd.services.NetworkManager-wait-online.enable = false;
--- a/hosts/ude/default.nix
+++ b/hosts/ude/default.nix
@ -19,7 +19,6 @@
        loader.systemd-boot.configurationLimit = 1;
        loader.efi.canTouchEfiVariables = true;
      };
      networking.nftables.enable = true;
      common.hercules.enable = true;
      services.hercules-ci-agent.settings.concurrentTasks = 6;
--- a/modules/system/common/incus.nix
+++ b/modules/system/common/incus.nix
@ -3,6 +3,7 @@
  lib,
  config,
  pkgs,
  username,
  ...
 }:
 let
@ -14,33 +15,41 @@ let
    environment.systemPackages = [ cfg.clientPackage ];
  };
-  linuxConfig = lib.optionalAttrs isLinux {
+  linuxConfig = lib.optionalAttrs isLinux (
-    virtualisation.incus = lib.mkIf (!cfg.clientOnly) {
+    lib.mkIf (!cfg.clientOnly) {
-      enable = true;
+      virtualisation.incus = {
-      inherit (cfg) package clientPackage;
+        enable = true;
-      preseed = {
+        inherit (cfg) package clientPackage;
-        networks = [
+        preseed = {
-          {
+          # TODO: Default profile with storage pool
-            name = "incusbr0";
+          networks = [
-            type = "bridge";
+            {
-            config = {
+              name = "incusbr0";
-              "ipv4.address" = "10.0.100.1/24";
+              type = "bridge";
-              "ipv4.nat" = "true";
+              config = {
-            };
+                "ipv4.address" = "10.0.100.1/24";
-          }
+                "ipv4.nat" = "true";
-        ];
+              };
-        storage_pools = [
+            }
-          {
+          ];
-            name = "default";
+          storage_pools = [
-            driver = "dir";
+            {
-            config = {
+              name = "default";
-              source = "/var/lib/incus/storage-pools/default";
+              driver = "dir";
-            };
+              config = {
-          }
+                source = "/var/lib/incus/storage-pools/default";
-        ];
+              };
            }
          ];
        };
      };
-    };
+      networking = {
-  };
+        nftables.enable = true;
        firewall.trustedInterfaces = [ "incusbr0" ];
      };
      users.users.${username}.extraGroups = [ "incus-admin" ];
    }
  );
  darwinConfig = lib.optionalAttrs (!isLinux) {
    assertions = [