diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-10-30 09:13:11 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-10-30 09:13:11 +0100 |
commit | 8167dec3203cc5e9751b799f751fe56ea2d655b7 (patch) | |
tree | 87cb2c8220bbb1edfe8fd2efd29de4ce115125dd | |
parent | 5d8436e8c8df1f552e017e924235ee7cc50c5b82 (diff) | |
download | nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.gz nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.bz2 nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.tar.xz nixos-8167dec3203cc5e9751b799f751fe56ea2d655b7.zip |
...
-rw-r--r-- | accounts/gkleen@sif/libvirt/default.nix | 38 | ||||
-rw-r--r-- | accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml | 176 | ||||
-rw-r--r-- | accounts/gkleen@sif/libvirt/pool-default.xml | 18 | ||||
-rw-r--r-- | accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml | 17 | ||||
-rw-r--r-- | hosts/sif/default.nix | 20 | ||||
-rw-r--r-- | hosts/sif/libvirt/default.nix | 5 | ||||
-rw-r--r-- | hosts/sif/ruleset.nft | 2 |
7 files changed, 274 insertions, 2 deletions
diff --git a/accounts/gkleen@sif/libvirt/default.nix b/accounts/gkleen@sif/libvirt/default.nix index a93a2266..54d971c4 100644 --- a/accounts/gkleen@sif/libvirt/default.nix +++ b/accounts/gkleen@sif/libvirt/default.nix | |||
@@ -1,5 +1,6 @@ | |||
1 | { flakeInputs, ... }: | 1 | { flakeInputs, lib, ... }: |
2 | 2 | ||
3 | with lib; | ||
3 | with flakeInputs.nixVirt.lib; | 4 | with flakeInputs.nixVirt.lib; |
4 | 5 | ||
5 | { | 6 | { |
@@ -7,6 +8,41 @@ with flakeInputs.nixVirt.lib; | |||
7 | virtualisation.libvirt = { | 8 | virtualisation.libvirt = { |
8 | enable = true; | 9 | enable = true; |
9 | connections."qemu:///session" = { | 10 | connections."qemu:///session" = { |
11 | domains = [ | ||
12 | { definition = domain.writeXML (recursiveUpdate (domain.templates.windows { | ||
13 | name = "lmmirzm-vmrz01"; | ||
14 | uuid = "9e1dab2e-7986-4cb3-88af-6fad8969e15f"; | ||
15 | memory = { count = 16; unit = "GiB"; }; | ||
16 | storage_vol = "/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2"; | ||
17 | nvram_path = "/home/gkleen/.local/share/libvirt/lmmirzm-vmrz01.nvram"; | ||
18 | virtio_net = true; | ||
19 | virtio_drive = true; | ||
20 | virtio_video = false; | ||
21 | install_virtio = true; | ||
22 | }) { | ||
23 | vcpu.count = 4; | ||
24 | os.bootmenu.enable = true; | ||
25 | devices.graphics = { | ||
26 | listen.type = "address"; | ||
27 | # gl.enable = true; | ||
28 | }; | ||
29 | devices.interface = { | ||
30 | type = "bridge"; | ||
31 | mac.address = "52:54:00:b9:f3:ed"; | ||
32 | source.bridge = "gre-0971"; | ||
33 | }; | ||
34 | }); | ||
35 | } | ||
36 | ]; | ||
37 | pools = [ | ||
38 | { definition = ./pool-default.xml; | ||
39 | active = true; | ||
40 | volumes = [ | ||
41 | { definition = ./vol-lmmirzm-vmrz01.xml; | ||
42 | } | ||
43 | ]; | ||
44 | } | ||
45 | ]; | ||
10 | }; | 46 | }; |
11 | }; | 47 | }; |
12 | }; | 48 | }; |
diff --git a/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml b/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml new file mode 100644 index 00000000..fc7cec2c --- /dev/null +++ b/accounts/gkleen@sif/libvirt/lmmirzm-vmrz01.xml | |||
@@ -0,0 +1,176 @@ | |||
1 | <domain type='kvm'> | ||
2 | <name>lmmirzm-vmrz01</name> | ||
3 | <uuid>9e1dab2e-7986-4cb3-88af-6fad8969e15f</uuid> | ||
4 | <metadata> | ||
5 | <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> | ||
6 | <libosinfo:os id="http://microsoft.com/win/10"/> | ||
7 | </libosinfo:libosinfo> | ||
8 | </metadata> | ||
9 | <memory unit='KiB'>16777216</memory> | ||
10 | <currentMemory unit='KiB'>16777216</currentMemory> | ||
11 | <vcpu placement='static'>8</vcpu> | ||
12 | <os> | ||
13 | <type arch='x86_64' machine='pc-q35-9.1'>hvm</type> | ||
14 | <boot dev='hd'/> | ||
15 | <bootmenu enable='yes' timeout='3000'/> | ||
16 | </os> | ||
17 | <features> | ||
18 | <acpi/> | ||
19 | <apic/> | ||
20 | <hyperv mode='custom'> | ||
21 | <relaxed state='on'/> | ||
22 | <vapic state='on'/> | ||
23 | <spinlocks state='on' retries='8191'/> | ||
24 | </hyperv> | ||
25 | <vmport state='off'/> | ||
26 | </features> | ||
27 | <cpu mode='host-passthrough' check='none' migratable='on'/> | ||
28 | <clock offset='localtime'> | ||
29 | <timer name='rtc' tickpolicy='catchup'/> | ||
30 | <timer name='pit' tickpolicy='delay'/> | ||
31 | <timer name='hpet' present='no'/> | ||
32 | <timer name='hypervclock' present='yes'/> | ||
33 | </clock> | ||
34 | <on_poweroff>destroy</on_poweroff> | ||
35 | <on_reboot>restart</on_reboot> | ||
36 | <on_crash>destroy</on_crash> | ||
37 | <pm> | ||
38 | <suspend-to-mem enabled='no'/> | ||
39 | <suspend-to-disk enabled='no'/> | ||
40 | </pm> | ||
41 | <devices> | ||
42 | <emulator>/run/current-system/sw/bin/qemu-system-x86_64</emulator> | ||
43 | <disk type='file' device='disk'> | ||
44 | <driver name='qemu' type='qcow2'/> | ||
45 | <source file='/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2'/> | ||
46 | <target dev='vda' bus='virtio'/> | ||
47 | <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> | ||
48 | </disk> | ||
49 | <controller type='usb' index='0' model='qemu-xhci' ports='15'> | ||
50 | <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> | ||
51 | </controller> | ||
52 | <controller type='pci' index='0' model='pcie-root'/> | ||
53 | <controller type='pci' index='1' model='pcie-root-port'> | ||
54 | <model name='pcie-root-port'/> | ||
55 | <target chassis='1' port='0x10'/> | ||
56 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/> | ||
57 | </controller> | ||
58 | <controller type='pci' index='2' model='pcie-root-port'> | ||
59 | <model name='pcie-root-port'/> | ||
60 | <target chassis='2' port='0x11'/> | ||
61 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/> | ||
62 | </controller> | ||
63 | <controller type='pci' index='3' model='pcie-root-port'> | ||
64 | <model name='pcie-root-port'/> | ||
65 | <target chassis='3' port='0x12'/> | ||
66 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/> | ||
67 | </controller> | ||
68 | <controller type='pci' index='4' model='pcie-root-port'> | ||
69 | <model name='pcie-root-port'/> | ||
70 | <target chassis='4' port='0x13'/> | ||
71 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/> | ||
72 | </controller> | ||
73 | <controller type='pci' index='5' model='pcie-root-port'> | ||
74 | <model name='pcie-root-port'/> | ||
75 | <target chassis='5' port='0x14'/> | ||
76 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/> | ||
77 | </controller> | ||
78 | <controller type='pci' index='6' model='pcie-root-port'> | ||
79 | <model name='pcie-root-port'/> | ||
80 | <target chassis='6' port='0x15'/> | ||
81 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/> | ||
82 | </controller> | ||
83 | <controller type='pci' index='7' model='pcie-root-port'> | ||
84 | <model name='pcie-root-port'/> | ||
85 | <target chassis='7' port='0x16'/> | ||
86 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/> | ||
87 | </controller> | ||
88 | <controller type='pci' index='8' model='pcie-root-port'> | ||
89 | <model name='pcie-root-port'/> | ||
90 | <target chassis='8' port='0x17'/> | ||
91 | <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/> | ||
92 | </controller> | ||
93 | <controller type='pci' index='9' model='pcie-root-port'> | ||
94 | <model name='pcie-root-port'/> | ||
95 | <target chassis='9' port='0x18'/> | ||
96 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/> | ||
97 | </controller> | ||
98 | <controller type='pci' index='10' model='pcie-root-port'> | ||
99 | <model name='pcie-root-port'/> | ||
100 | <target chassis='10' port='0x19'/> | ||
101 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/> | ||
102 | </controller> | ||
103 | <controller type='pci' index='11' model='pcie-root-port'> | ||
104 | <model name='pcie-root-port'/> | ||
105 | <target chassis='11' port='0x1a'/> | ||
106 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/> | ||
107 | </controller> | ||
108 | <controller type='pci' index='12' model='pcie-root-port'> | ||
109 | <model name='pcie-root-port'/> | ||
110 | <target chassis='12' port='0x1b'/> | ||
111 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/> | ||
112 | </controller> | ||
113 | <controller type='pci' index='13' model='pcie-root-port'> | ||
114 | <model name='pcie-root-port'/> | ||
115 | <target chassis='13' port='0x1c'/> | ||
116 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/> | ||
117 | </controller> | ||
118 | <controller type='pci' index='14' model='pcie-root-port'> | ||
119 | <model name='pcie-root-port'/> | ||
120 | <target chassis='14' port='0x1d'/> | ||
121 | <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/> | ||
122 | </controller> | ||
123 | <controller type='sata' index='0'> | ||
124 | <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> | ||
125 | </controller> | ||
126 | <controller type='virtio-serial' index='0'> | ||
127 | <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> | ||
128 | </controller> | ||
129 | <interface type='bridge'> | ||
130 | <mac address='52:54:00:b9:f3:ed'/> | ||
131 | <source bridge='gre-0971'/> | ||
132 | <model type='virtio'/> | ||
133 | <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> | ||
134 | </interface> | ||
135 | <serial type='pty'> | ||
136 | <target type='isa-serial' port='0'> | ||
137 | <model name='isa-serial'/> | ||
138 | </target> | ||
139 | </serial> | ||
140 | <console type='pty'> | ||
141 | <target type='serial' port='0'/> | ||
142 | </console> | ||
143 | <channel type='spicevmc'> | ||
144 | <target type='virtio' name='com.redhat.spice.0'/> | ||
145 | <address type='virtio-serial' controller='0' bus='0' port='1'/> | ||
146 | </channel> | ||
147 | <input type='tablet' bus='usb'> | ||
148 | <address type='usb' bus='0' port='1'/> | ||
149 | </input> | ||
150 | <input type='mouse' bus='ps2'/> | ||
151 | <input type='keyboard' bus='ps2'/> | ||
152 | <graphics type='spice' autoport='yes'> | ||
153 | <listen type='address'/> | ||
154 | <image compression='off'/> | ||
155 | </graphics> | ||
156 | <sound model='ich9'> | ||
157 | <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/> | ||
158 | </sound> | ||
159 | <audio id='1' type='spice'/> | ||
160 | <video> | ||
161 | <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> | ||
162 | <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/> | ||
163 | </video> | ||
164 | <redirdev bus='usb' type='spicevmc'> | ||
165 | <address type='usb' bus='0' port='2'/> | ||
166 | </redirdev> | ||
167 | <redirdev bus='usb' type='spicevmc'> | ||
168 | <address type='usb' bus='0' port='3'/> | ||
169 | </redirdev> | ||
170 | <watchdog model='itco' action='reset'/> | ||
171 | <memballoon model='virtio'> | ||
172 | <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> | ||
173 | </memballoon> | ||
174 | </devices> | ||
175 | </domain> | ||
176 | |||
diff --git a/accounts/gkleen@sif/libvirt/pool-default.xml b/accounts/gkleen@sif/libvirt/pool-default.xml new file mode 100644 index 00000000..7303830b --- /dev/null +++ b/accounts/gkleen@sif/libvirt/pool-default.xml | |||
@@ -0,0 +1,18 @@ | |||
1 | <pool type='dir'> | ||
2 | <name>default</name> | ||
3 | <uuid>ad899c92-02e3-45f9-bf49-195467aba2e2</uuid> | ||
4 | <capacity unit='bytes'>1492738072064</capacity> | ||
5 | <allocation unit='bytes'>215387853312</allocation> | ||
6 | <available unit='bytes'>1277350218752</available> | ||
7 | <source> | ||
8 | </source> | ||
9 | <target> | ||
10 | <path>/home/gkleen/.local/share/libvirt/images</path> | ||
11 | <permissions> | ||
12 | <mode>0711</mode> | ||
13 | <owner>1000</owner> | ||
14 | <group>100</group> | ||
15 | </permissions> | ||
16 | </target> | ||
17 | </pool> | ||
18 | |||
diff --git a/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml b/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml new file mode 100644 index 00000000..e160ae4d --- /dev/null +++ b/accounts/gkleen@sif/libvirt/vol-lmmirzm-vmrz01.xml | |||
@@ -0,0 +1,17 @@ | |||
1 | <volume type='file'> | ||
2 | <name>lmmirzm-vmrz01.qcow2</name> | ||
3 | <capacity unit='G'>40</capacity> | ||
4 | <target> | ||
5 | <path>/home/gkleen/.local/share/libvirt/images/lmmirzm-vmrz01.qcow2</path> | ||
6 | <format type='qcow2'/> | ||
7 | <permissions> | ||
8 | <mode>0600</mode> | ||
9 | <owner>1000</owner> | ||
10 | <group>100</group> | ||
11 | </permissions> | ||
12 | <features> | ||
13 | <lazy_refcounts/> | ||
14 | </features> | ||
15 | </target> | ||
16 | </volume> | ||
17 | |||
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index e71ee4ec..a2eca749 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -182,6 +182,7 @@ in { | |||
182 | netdevConfig = { | 182 | netdevConfig = { |
183 | Name = "wgrz"; | 183 | Name = "wgrz"; |
184 | Kind = "wireguard"; | 184 | Kind = "wireguard"; |
185 | MTUBytes = "1538"; | ||
185 | }; | 186 | }; |
186 | wireguardConfig = { | 187 | wireguardConfig = { |
187 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; | 188 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; |
@@ -203,6 +204,24 @@ in { | |||
203 | MACAddress = "52:54:00:18:85:5b"; | 204 | MACAddress = "52:54:00:18:85:5b"; |
204 | }; | 205 | }; |
205 | }; | 206 | }; |
207 | gre-0971 = { | ||
208 | netdevConfig = { | ||
209 | Name = "gre-0971"; | ||
210 | Kind = "bridge"; | ||
211 | MTUBytes = "1500"; | ||
212 | }; | ||
213 | }; | ||
214 | gre-0971-1 = { | ||
215 | netdevConfig = { | ||
216 | Name = "gre-0971-1"; | ||
217 | Kind = "gretap"; | ||
218 | MTUBytes = "1500"; | ||
219 | }; | ||
220 | tunnelConfig = { | ||
221 | Local = "10.116.200.128"; | ||
222 | Remote = "10.116.200.1"; | ||
223 | }; | ||
224 | }; | ||
206 | }; | 225 | }; |
207 | networks = { | 226 | networks = { |
208 | wgrz = { | 227 | wgrz = { |
@@ -246,6 +265,7 @@ in { | |||
246 | LLMNR = false; | 265 | LLMNR = false; |
247 | MulticastDNS = false; | 266 | MulticastDNS = false; |
248 | DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; | 267 | DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; |
268 | Tunnel = "gre-0971-1"; | ||
249 | }; | 269 | }; |
250 | }; | 270 | }; |
251 | virbr0 = { | 271 | virbr0 = { |
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix index b5d95996..b42fa8fc 100644 --- a/hosts/sif/libvirt/default.nix +++ b/hosts/sif/libvirt/default.nix | |||
@@ -4,7 +4,10 @@ with flakeInputs.nixVirt.lib; | |||
4 | 4 | ||
5 | { | 5 | { |
6 | config = { | 6 | config = { |
7 | virtualisation.libvirtd.qemu.swtpm.enable = true; | 7 | virtualisation.libvirtd = { |
8 | qemu.swtpm.enable = true; | ||
9 | allowedBridges = ["virbr0" "gre-0971"]; | ||
10 | }; | ||
8 | virtualisation.libvirt = { | 11 | virtualisation.libvirt = { |
9 | enable = true; | 12 | enable = true; |
10 | swtpm.enable = true; | 13 | swtpm.enable = true; |
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 33c17253..2af8b2ee 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft | |||
@@ -145,6 +145,8 @@ table inet filter { | |||
145 | iifname virbr0 udp dport 53 counter name libvirt-dns accept | 145 | iifname virbr0 udp dport 53 counter name libvirt-dns accept |
146 | iifname virbr0 tcp dport 53 counter name libvirt-dns accept | 146 | iifname virbr0 tcp dport 53 counter name libvirt-dns accept |
147 | 147 | ||
148 | iifname wgrz ip saddr 10.200.116.1 meta l4proto gre counter accept | ||
149 | |||
148 | ct state {established, related} counter name established-rx accept | 150 | ct state {established, related} counter name established-rx accept |
149 | 151 | ||
150 | 152 | ||