mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2026-04-14 05:09:09 +02:00
fix[work]: update libvirtd config for vagrant
This commit is contained in:
Leon Schwarzäugl
parent
a254a2712a
commit
361f77a447
GPG key ID:
26A54C31F2A4FD84
3 changed files with 112 additions and 34 deletions
|
|
@ -3872,6 +3872,7 @@ My work machine. Built for more security, this is the gold standard of my config
|
||||||
personal = true;
|
personal = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
|
||||||
# networking.nftables = {
|
# networking.nftables = {
|
||||||
# enable = lib.mkForce false;
|
# enable = lib.mkForce false;
|
||||||
# firewall.enable = lib.mkForce false;
|
# firewall.enable = lib.mkForce false;
|
||||||
|
|
@ -20033,10 +20034,42 @@ When setting up a new machine:
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
firewall = {
|
nftables = {
|
||||||
enable = lib.mkDefault true;
|
firewall = {
|
||||||
trustedInterfaces = [ "virbr0" ];
|
zones = {
|
||||||
|
virbr = {
|
||||||
|
interfaces = [ "virbr*" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
rules = {
|
||||||
|
virbr-dns-dhcp = {
|
||||||
|
from = [ "virbr" ];
|
||||||
|
to = [ "local" ];
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
allowedUDPPorts = [ 53 67 547 ];
|
||||||
|
};
|
||||||
|
virbr-forward = {
|
||||||
|
from = [ "virbr" ];
|
||||||
|
to = [ "untrusted" ];
|
||||||
|
verdict = "accept";
|
||||||
|
};
|
||||||
|
virbr-forward-return = {
|
||||||
|
from = [ "untrusted" ];
|
||||||
|
to = [ "virbr" ];
|
||||||
|
extraLines = [
|
||||||
|
"ct state { established, related } accept"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
chains.postrouting.libvirt-masq = {
|
||||||
|
after = [ "dnat" ];
|
||||||
|
rules = [
|
||||||
|
"iifname \"virbr*\" masquerade"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
search = [
|
search = [
|
||||||
"vbc.ac.at"
|
"vbc.ac.at"
|
||||||
"clip.vbc.ac.at"
|
"clip.vbc.ac.at"
|
||||||
|
|
@ -20044,6 +20077,24 @@ When setting up a new machine:
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
virtqemud.path = with pkgs; [
|
||||||
|
qemu_kvm
|
||||||
|
libvirt
|
||||||
|
];
|
||||||
|
|
||||||
|
virtstoraged.path = with pkgs; [
|
||||||
|
qemu_kvm
|
||||||
|
libvirt
|
||||||
|
];
|
||||||
|
|
||||||
|
virtnetworkd.path = with pkgs; [
|
||||||
|
dnsmasq
|
||||||
|
iproute2
|
||||||
|
nftables
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
||||||
spiceUSBRedirection.enable = true;
|
spiceUSBRedirection.enable = true;
|
||||||
|
|
@ -20054,22 +20105,12 @@ When setting up a new machine:
|
||||||
runAsRoot = true;
|
runAsRoot = true;
|
||||||
swtpm.enable = true;
|
swtpm.enable = true;
|
||||||
vhostUserPackages = with pkgs; [ virtiofsd ];
|
vhostUserPackages = with pkgs; [ virtiofsd ];
|
||||||
# ovmf = {
|
|
||||||
# enable = true;
|
|
||||||
# packages = [
|
|
||||||
# (pkgs.OVMFFull.override {
|
|
||||||
# secureBoot = true;
|
|
||||||
# tpmSupport = true;
|
|
||||||
# }).fd
|
|
||||||
# ];
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
remmina
|
remmina
|
||||||
# gp-onsaml-gui
|
|
||||||
python39
|
python39
|
||||||
qemu
|
qemu
|
||||||
packer
|
packer
|
||||||
|
|
@ -20078,7 +20119,6 @@ When setting up a new machine:
|
||||||
govc
|
govc
|
||||||
terraform
|
terraform
|
||||||
opentofu
|
opentofu
|
||||||
# dev.terragrunt
|
|
||||||
terragrunt
|
terragrunt
|
||||||
graphviz
|
graphviz
|
||||||
azure-cli
|
azure-cli
|
||||||
|
|
@ -20102,7 +20142,7 @@ When setting up a new machine:
|
||||||
openssh = {
|
openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
syncthing = {
|
syncthing = {
|
||||||
|
|
@ -20123,10 +20163,9 @@ When setting up a new machine:
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly"
|
|
||||||
udev.extraRules = ''
|
udev.extraRules = ''
|
||||||
# lock screen when yubikey removed
|
# lock screen when yubikey removed
|
||||||
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -79,6 +79,7 @@ in
|
||||||
personal = true;
|
personal = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
|
||||||
# networking.nftables = {
|
# networking.nftables = {
|
||||||
# enable = lib.mkForce false;
|
# enable = lib.mkForce false;
|
||||||
# firewall.enable = lib.mkForce false;
|
# firewall.enable = lib.mkForce false;
|
||||||
|
|
|
||||||
|
|
@ -123,10 +123,42 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
firewall = {
|
nftables = {
|
||||||
enable = lib.mkDefault true;
|
firewall = {
|
||||||
trustedInterfaces = [ "virbr0" ];
|
zones = {
|
||||||
|
virbr = {
|
||||||
|
interfaces = [ "virbr*" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
rules = {
|
||||||
|
virbr-dns-dhcp = {
|
||||||
|
from = [ "virbr" ];
|
||||||
|
to = [ "local" ];
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
allowedUDPPorts = [ 53 67 547 ];
|
||||||
|
};
|
||||||
|
virbr-forward = {
|
||||||
|
from = [ "virbr" ];
|
||||||
|
to = [ "untrusted" ];
|
||||||
|
verdict = "accept";
|
||||||
|
};
|
||||||
|
virbr-forward-return = {
|
||||||
|
from = [ "untrusted" ];
|
||||||
|
to = [ "virbr" ];
|
||||||
|
extraLines = [
|
||||||
|
"ct state { established, related } accept"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
chains.postrouting.libvirt-masq = {
|
||||||
|
after = [ "dnat" ];
|
||||||
|
rules = [
|
||||||
|
"iifname \"virbr*\" masquerade"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
search = [
|
search = [
|
||||||
"vbc.ac.at"
|
"vbc.ac.at"
|
||||||
"clip.vbc.ac.at"
|
"clip.vbc.ac.at"
|
||||||
|
|
@ -134,6 +166,24 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
virtqemud.path = with pkgs; [
|
||||||
|
qemu_kvm
|
||||||
|
libvirt
|
||||||
|
];
|
||||||
|
|
||||||
|
virtstoraged.path = with pkgs; [
|
||||||
|
qemu_kvm
|
||||||
|
libvirt
|
||||||
|
];
|
||||||
|
|
||||||
|
virtnetworkd.path = with pkgs; [
|
||||||
|
dnsmasq
|
||||||
|
iproute2
|
||||||
|
nftables
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
||||||
spiceUSBRedirection.enable = true;
|
spiceUSBRedirection.enable = true;
|
||||||
|
|
@ -144,22 +194,12 @@ in
|
||||||
runAsRoot = true;
|
runAsRoot = true;
|
||||||
swtpm.enable = true;
|
swtpm.enable = true;
|
||||||
vhostUserPackages = with pkgs; [ virtiofsd ];
|
vhostUserPackages = with pkgs; [ virtiofsd ];
|
||||||
# ovmf = {
|
|
||||||
# enable = true;
|
|
||||||
# packages = [
|
|
||||||
# (pkgs.OVMFFull.override {
|
|
||||||
# secureBoot = true;
|
|
||||||
# tpmSupport = true;
|
|
||||||
# }).fd
|
|
||||||
# ];
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
remmina
|
remmina
|
||||||
# gp-onsaml-gui
|
|
||||||
python39
|
python39
|
||||||
qemu
|
qemu
|
||||||
packer
|
packer
|
||||||
|
|
@ -168,7 +208,6 @@ in
|
||||||
govc
|
govc
|
||||||
terraform
|
terraform
|
||||||
opentofu
|
opentofu
|
||||||
# dev.terragrunt
|
|
||||||
terragrunt
|
terragrunt
|
||||||
graphviz
|
graphviz
|
||||||
azure-cli
|
azure-cli
|
||||||
|
|
@ -192,7 +231,7 @@ in
|
||||||
openssh = {
|
openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
syncthing = {
|
syncthing = {
|
||||||
|
|
@ -213,10 +252,9 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly"
|
|
||||||
udev.extraRules = ''
|
udev.extraRules = ''
|
||||||
# lock screen when yubikey removed
|
# lock screen when yubikey removed
|
||||||
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue