summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2024-10-30 09:13:11 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2024-10-30 09:13:11 +0100
commit8167dec3203cc5e9751b799f751fe56ea2d655b7 (patch)
tree87cb2c8220bbb1edfe8fd2efd29de4ce115125dd
parent5d8436e8c8df1f552e017e924235ee7cc50c5b82 (diff)
downloadnixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar
nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.gz
nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.bz2
nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.xz
nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.zip
...
-rw-r--r--accounts/gkleen@sif/libvirt/default.nix38
-rw-r--r--accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml176
-rw-r--r--accounts/gkleen@sif/libvirt/pool-default.xml18
-rw-r--r--accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml17
-rw-r--r--hosts/sif/default.nix20
-rw-r--r--hosts/sif/libvirt/default.nix5
-rw-r--r--hosts/sif/ruleset.nft2
7 files changed, 274 insertions, 2 deletions
diff --git a/accounts/gkleen@sif/libvirt/default.nix b/accounts/gkleen@sif/libvirt/default.nix
index a93a2266..54d971c4 100644
--- a/accounts/gkleen@sif/libvirt/default.nix
+++ b/accounts/gkleen@sif/libvirt/default.nix
@@ -1,5 +1,6 @@
1{ flakeInputs, ... }: 1{ flakeInputs, lib, ... }:
2 2
3with lib;
3with flakeInputs.nixVirt.lib; 4with flakeInputs.nixVirt.lib;
4 5
5{ 6{
@@ -7,6 +8,41 @@ with flakeInputs.nixVirt.lib;
7 virtualisation.libvirt = { 8 virtualisation.libvirt = {
8 enable = true; 9 enable = true;
9 connections."qemu:///session" = { 10 connections."qemu:///session" = {
11 domains = [
12 { definition = domain.writeXML (recursiveUpdate (domain.templates.windows {
13 name = "lmmirzm-vmrz01";
14 uuid = "9e1dab2e-7986-4cb3-88af-6fad8969e15f";
15 memory = { count = 16; unit = "GiB"; };
16 storage_vol = "/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2";
17 nvram_path = "/home/gkleen/.local/share/libvirt/lmmirzm-vmrz01.nvram";
18 virtio_net = true;
19 virtio_drive = true;
20 virtio_video = false;
21 install_virtio = true;
22 }) {
23 vcpu.count = 4;
24 os.bootmenu.enable = true;
25 devices.graphics = {
26 listen.type = "address";
27 # gl.enable = true;
28 };
29 devices.interface = {
30 type = "bridge";
31 mac.address = "52:54:00:b9:f3:ed";
32 source.bridge = "gre-0971";
33 };
34 });
35 }
36 ];
37 pools = [
38 { definition = ./pool-default.xml;
39 active = true;
40 volumes = [
41 { definition = ./vol-lmmirzm-vmrz01.xml;
42 }
43 ];
44 }
45 ];
10 }; 46 };
11 }; 47 };
12 }; 48 };
diff --git a/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml b/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml
new file mode 100644
index 00000000..fc7cec2c
--- /dev/null
+++ b/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml
@@ -0,0 +1,176 @@
1<domain type='kvm'>
2 <name>lmmirzm-vmrz01</name>
3 <uuid>9e1dab2e-7986-4cb3-88af-6fad8969e15f</uuid>
4 <metadata>
5 <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
6 <libosinfo:os id="http://microsoft.com/win/10"/>
7 </libosinfo:libosinfo>
8 </metadata>
9 <memory unit='KiB'>16777216</memory>
10 <currentMemory unit='KiB'>16777216</currentMemory>
11 <vcpu placement='static'>8</vcpu>
12 <os>
13 <type arch='x86_64' machine='pc-q35-9.1'>hvm</type>
14 <boot dev='hd'/>
15 <bootmenu enable='yes' timeout='3000'/>
16 </os>
17 <features>
18 <acpi/>
19 <apic/>
20 <hyperv mode='custom'>
21 <relaxed state='on'/>
22 <vapic state='on'/>
23 <spinlocks state='on' retries='8191'/>
24 </hyperv>
25 <vmport state='off'/>
26 </features>
27 <cpu mode='host-passthrough' check='none' migratable='on'/>
28 <clock offset='localtime'>
29 <timer name='rtc' tickpolicy='catchup'/>
30 <timer name='pit' tickpolicy='delay'/>
31 <timer name='hpet' present='no'/>
32 <timer name='hypervclock' present='yes'/>
33 </clock>
34 <on_poweroff>destroy</on_poweroff>
35 <on_reboot>restart</on_reboot>
36 <on_crash>destroy</on_crash>
37 <pm>
38 <suspend-to-mem enabled='no'/>
39 <suspend-to-disk enabled='no'/>
40 </pm>
41 <devices>
42 <emulator>/run/current-system/sw/bin/qemu-system-x86_64</emulator>
43 <disk type='file' device='disk'>
44 <driver name='qemu' type='qcow2'/>
45 <source file='/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2'/>
46 <target dev='vda' bus='virtio'/>
47 <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
48 </disk>
49 <controller type='usb' index='0' model='qemu-xhci' ports='15'>
50 <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
51 </controller>
52 <controller type='pci' index='0' model='pcie-root'/>
53 <controller type='pci' index='1' model='pcie-root-port'>
54 <model name='pcie-root-port'/>
55 <target chassis='1' port='0x10'/>
56 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
57 </controller>
58 <controller type='pci' index='2' model='pcie-root-port'>
59 <model name='pcie-root-port'/>
60 <target chassis='2' port='0x11'/>
61 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
62 </controller>
63 <controller type='pci' index='3' model='pcie-root-port'>
64 <model name='pcie-root-port'/>
65 <target chassis='3' port='0x12'/>
66 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
67 </controller>
68 <controller type='pci' index='4' model='pcie-root-port'>
69 <model name='pcie-root-port'/>
70 <target chassis='4' port='0x13'/>
71 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
72 </controller>
73 <controller type='pci' index='5' model='pcie-root-port'>
74 <model name='pcie-root-port'/>
75 <target chassis='5' port='0x14'/>
76 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
77 </controller>
78 <controller type='pci' index='6' model='pcie-root-port'>
79 <model name='pcie-root-port'/>
80 <target chassis='6' port='0x15'/>
81 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
82 </controller>
83 <controller type='pci' index='7' model='pcie-root-port'>
84 <model name='pcie-root-port'/>
85 <target chassis='7' port='0x16'/>
86 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
87 </controller>
88 <controller type='pci' index='8' model='pcie-root-port'>
89 <model name='pcie-root-port'/>
90 <target chassis='8' port='0x17'/>
91 <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
92 </controller>
93 <controller type='pci' index='9' model='pcie-root-port'>
94 <model name='pcie-root-port'/>
95 <target chassis='9' port='0x18'/>
96 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
97 </controller>
98 <controller type='pci' index='10' model='pcie-root-port'>
99 <model name='pcie-root-port'/>
100 <target chassis='10' port='0x19'/>
101 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
102 </controller>
103 <controller type='pci' index='11' model='pcie-root-port'>
104 <model name='pcie-root-port'/>
105 <target chassis='11' port='0x1a'/>
106 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
107 </controller>
108 <controller type='pci' index='12' model='pcie-root-port'>
109 <model name='pcie-root-port'/>
110 <target chassis='12' port='0x1b'/>
111 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
112 </controller>
113 <controller type='pci' index='13' model='pcie-root-port'>
114 <model name='pcie-root-port'/>
115 <target chassis='13' port='0x1c'/>
116 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
117 </controller>
118 <controller type='pci' index='14' model='pcie-root-port'>
119 <model name='pcie-root-port'/>
120 <target chassis='14' port='0x1d'/>
121 <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
122 </controller>
123 <controller type='sata' index='0'>
124 <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
125 </controller>
126 <controller type='virtio-serial' index='0'>
127 <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
128 </controller>
129 <interface type='bridge'>
130 <mac address='52:54:00:b9:f3:ed'/>
131 <source bridge='gre-0971'/>
132 <model type='virtio'/>
133 <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
134 </interface>
135 <serial type='pty'>
136 <target type='isa-serial' port='0'>
137 <model name='isa-serial'/>
138 </target>
139 </serial>
140 <console type='pty'>
141 <target type='serial' port='0'/>
142 </console>
143 <channel type='spicevmc'>
144 <target type='virtio' name='com.redhat.spice.0'/>
145 <address type='virtio-serial' controller='0' bus='0' port='1'/>
146 </channel>
147 <input type='tablet' bus='usb'>
148 <address type='usb' bus='0' port='1'/>
149 </input>
150 <input type='mouse' bus='ps2'/>
151 <input type='keyboard' bus='ps2'/>
152 <graphics type='spice' autoport='yes'>
153 <listen type='address'/>
154 <image compression='off'/>
155 </graphics>
156 <sound model='ich9'>
157 <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
158 </sound>
159 <audio id='1' type='spice'/>
160 <video>
161 <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
162 <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
163 </video>
164 <redirdev bus='usb' type='spicevmc'>
165 <address type='usb' bus='0' port='2'/>
166 </redirdev>
167 <redirdev bus='usb' type='spicevmc'>
168 <address type='usb' bus='0' port='3'/>
169 </redirdev>
170 <watchdog model='itco' action='reset'/>
171 <memballoon model='virtio'>
172 <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
173 </memballoon>
174 </devices>
175</domain>
176
diff --git a/accounts/gkleen@sif/libvirt/pool-default.xml b/accounts/gkleen@sif/libvirt/pool-default.xml
new file mode 100644
index 00000000..7303830b
--- /dev/null
+++ b/accounts/gkleen@sif/libvirt/pool-default.xml
@@ -0,0 +1,18 @@
1<pool type='dir'>
2 <name>default</name>
3 <uuid>ad899c92-02e3-45f9-bf49-195467aba2e2</uuid>
4 <capacity unit='bytes'>1492738072064</capacity>
5 <allocation unit='bytes'>215387853312</allocation>
6 <available unit='bytes'>1277350218752</available>
7 <source>
8 </source>
9 <target>
10 <path>/home/gkleen/.local/share/libvirt/images</path>
11 <permissions>
12 <mode>0711</mode>
13 <owner>1000</owner>
14 <group>100</group>
15 </permissions>
16 </target>
17</pool>
18
diff --git a/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml b/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml
new file mode 100644
index 00000000..e160ae4d
--- /dev/null
+++ b/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml
@@ -0,0 +1,17 @@
1<volume type='file'>
2 <name>lmmirzm-vmrz01.qcow2</name>
3 <capacity unit='G'>40</capacity>
4 <target>
5 <path>/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2</path>
6 <format type='qcow2'/>
7 <permissions>
8 <mode>0600</mode>
9 <owner>1000</owner>
10 <group>100</group>
11 </permissions>
12 <features>
13 <lazy_refcounts/>
14 </features>
15 </target>
16</volume>
17
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index e71ee4ec..a2eca749 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -182,6 +182,7 @@ in {
182 netdevConfig = { 182 netdevConfig = {
183 Name = "wgrz"; 183 Name = "wgrz";
184 Kind = "wireguard"; 184 Kind = "wireguard";
185 MTUBytes = "1538";
185 }; 186 };
186 wireguardConfig = { 187 wireguardConfig = {
187 PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; 188 PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv";
@@ -203,6 +204,24 @@ in {
203 MACAddress = "52:54:00:18:85:5b"; 204 MACAddress = "52:54:00:18:85:5b";
204 }; 205 };
205 }; 206 };
207 gre-0971 = {
208 netdevConfig = {
209 Name = "gre-0971";
210 Kind = "bridge";
211 MTUBytes = "1500";
212 };
213 };
214 gre-0971-1 = {
215 netdevConfig = {
216 Name = "gre-0971-1";
217 Kind = "gretap";
218 MTUBytes = "1500";
219 };
220 tunnelConfig = {
221 Local = "10.116.200.128";
222 Remote = "10.116.200.1";
223 };
224 };
206 }; 225 };
207 networks = { 226 networks = {
208 wgrz = { 227 wgrz = {
@@ -246,6 +265,7 @@ in {
246 LLMNR = false; 265 LLMNR = false;
247 MulticastDNS = false; 266 MulticastDNS = false;
248 DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; 267 DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
268 Tunnel = "gre-0971-1";
249 }; 269 };
250 }; 270 };
251 virbr0 = { 271 virbr0 = {
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix
index b5d95996..b42fa8fc 100644
--- a/hosts/sif/libvirt/default.nix
+++ b/hosts/sif/libvirt/default.nix
@@ -4,7 +4,10 @@ with flakeInputs.nixVirt.lib;
4 4
5{ 5{
6 config = { 6 config = {
7 virtualisation.libvirtd.qemu.swtpm.enable = true; 7 virtualisation.libvirtd = {
8 qemu.swtpm.enable = true;
9 allowedBridges = ["virbr0" "gre-0971"];
10 };
8 virtualisation.libvirt = { 11 virtualisation.libvirt = {
9 enable = true; 12 enable = true;
10 swtpm.enable = true; 13 swtpm.enable = true;
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 33c17253..2af8b2ee 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -145,6 +145,8 @@ table inet filter {
145 iifname virbr0 udp dport 53 counter name libvirt-dns accept 145 iifname virbr0 udp dport 53 counter name libvirt-dns accept
146 iifname virbr0 tcp dport 53 counter name libvirt-dns accept 146 iifname virbr0 tcp dport 53 counter name libvirt-dns accept
147 147
148 iifname wgrz ip saddr 10.200.116.1 meta l4proto gre counter accept
149
148 ct state {established, related} counter name established-rx accept 150 ct state {established, related} counter name established-rx accept
149 151
150 152