fix[work]: update libvirtd config for vagrant

2026-04-14 21:29:12 +02:00 · 2026-03-25 13:56:15 +01:00 · 2026-03-25 13:56:15 +01:00 · 361f77a447
commit 361f77a447
parent a254a2712a
3 changed files with 112 additions and 34 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -3872,6 +3872,7 @@ My work machine. Built for more security, this is the gold standard of my config
      personal = true;
    };

+    networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
    # networking.nftables = {
    #   enable = lib.mkForce false;
    #   firewall.enable = lib.mkForce false;
@ -20033,10 +20034,42 @@ When setting up a new machine:
        };


-        firewall = {
-          enable = lib.mkDefault true;
-          trustedInterfaces = [ "virbr0" ];
+        nftables = {
+          firewall = {
+            zones = {
+              virbr = {
+                interfaces = [ "virbr*" ];
+              };
+            };
+            rules = {
+              virbr-dns-dhcp = {
+                from = [ "virbr" ];
+                to = [ "local" ];
+                allowedTCPPorts = [ 53 ];
+                allowedUDPPorts = [ 53 67 547 ];
+              };
+              virbr-forward = {
+                from = [ "virbr" ];
+                to = [ "untrusted" ];
+                verdict = "accept";
+              };
+              virbr-forward-return = {
+                from = [ "untrusted" ];
+                to = [ "virbr" ];
+                extraLines = [
+                  "ct state { established, related } accept"
+                ];
+              };
+            };
+          };
+          chains.postrouting.libvirt-masq = {
+            after = [ "dnat" ];
+            rules = [
+              "iifname \"virbr*\" masquerade"
+            ];
+          };
        };
+
        search = [
          "vbc.ac.at"
          "clip.vbc.ac.at"
@ -20044,6 +20077,24 @@ When setting up a new machine:
        ];
      };

+      systemd.services = {
+        virtqemud.path = with pkgs; [
+          qemu_kvm
+          libvirt
+        ];
+
+        virtstoraged.path = with pkgs; [
+          qemu_kvm
+          libvirt
+        ];
+
+        virtnetworkd.path = with pkgs; [
+          dnsmasq
+          iproute2
+          nftables
+        ];
+      };
+
      virtualisation = {
        docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
        spiceUSBRedirection.enable = true;
@ -20054,22 +20105,12 @@ When setting up a new machine:
            runAsRoot = true;
            swtpm.enable = true;
            vhostUserPackages = with pkgs; [ virtiofsd ];
-            # ovmf = {
-            #   enable = true;
-            #   packages = [
-            #     (pkgs.OVMFFull.override {
-            #       secureBoot = true;
-            #       tpmSupport = true;
-            #     }).fd
-            #   ];
-            # };
          };
        };
      };

      environment.systemPackages = with pkgs; [
        remmina
-        # gp-onsaml-gui
        python39
        qemu
        packer
@ -20078,7 +20119,6 @@ When setting up a new machine:
        govc
        terraform
        opentofu
-        # dev.terragrunt
        terragrunt
        graphviz
        azure-cli
@ -20102,7 +20142,7 @@ When setting up a new machine:
        openssh = {
          enable = true;
          extraConfig = ''
-              '';
+                  '';
        };

        syncthing = {
@ -20123,10 +20163,9 @@ When setting up a new machine:
          };
        };

-        # ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly"
        udev.extraRules = ''
          # lock screen when yubikey removed
-          ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
+                    ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
        '';

      };