mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2026-04-14 05:09:09 +02:00
fix[work]: update libvirtd config for vagrant
This commit is contained in:
Leon Schwarzäugl
parent
a254a2712a
commit
361f77a447
GPG key ID:
26A54C31F2A4FD84
3 changed files with 112 additions and 34 deletions
|
|
@ -3872,6 +3872,7 @@ My work machine. Built for more security, this is the gold standard of my config
|
|||
personal = true;
|
||||
};
|
||||
|
||||
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
|
||||
# networking.nftables = {
|
||||
# enable = lib.mkForce false;
|
||||
# firewall.enable = lib.mkForce false;
|
||||
|
|
@ -20033,10 +20034,42 @@ When setting up a new machine:
|
|||
};
|
||||
|
||||
|
||||
nftables = {
|
||||
firewall = {
|
||||
enable = lib.mkDefault true;
|
||||
trustedInterfaces = [ "virbr0" ];
|
||||
zones = {
|
||||
virbr = {
|
||||
interfaces = [ "virbr*" ];
|
||||
};
|
||||
};
|
||||
rules = {
|
||||
virbr-dns-dhcp = {
|
||||
from = [ "virbr" ];
|
||||
to = [ "local" ];
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 67 547 ];
|
||||
};
|
||||
virbr-forward = {
|
||||
from = [ "virbr" ];
|
||||
to = [ "untrusted" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
virbr-forward-return = {
|
||||
from = [ "untrusted" ];
|
||||
to = [ "virbr" ];
|
||||
extraLines = [
|
||||
"ct state { established, related } accept"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
chains.postrouting.libvirt-masq = {
|
||||
after = [ "dnat" ];
|
||||
rules = [
|
||||
"iifname \"virbr*\" masquerade"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
search = [
|
||||
"vbc.ac.at"
|
||||
"clip.vbc.ac.at"
|
||||
|
|
@ -20044,6 +20077,24 @@ When setting up a new machine:
|
|||
];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
virtqemud.path = with pkgs; [
|
||||
qemu_kvm
|
||||
libvirt
|
||||
];
|
||||
|
||||
virtstoraged.path = with pkgs; [
|
||||
qemu_kvm
|
||||
libvirt
|
||||
];
|
||||
|
||||
virtnetworkd.path = with pkgs; [
|
||||
dnsmasq
|
||||
iproute2
|
||||
nftables
|
||||
];
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
||||
spiceUSBRedirection.enable = true;
|
||||
|
|
@ -20054,22 +20105,12 @@ When setting up a new machine:
|
|||
runAsRoot = true;
|
||||
swtpm.enable = true;
|
||||
vhostUserPackages = with pkgs; [ virtiofsd ];
|
||||
# ovmf = {
|
||||
# enable = true;
|
||||
# packages = [
|
||||
# (pkgs.OVMFFull.override {
|
||||
# secureBoot = true;
|
||||
# tpmSupport = true;
|
||||
# }).fd
|
||||
# ];
|
||||
# };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
remmina
|
||||
# gp-onsaml-gui
|
||||
python39
|
||||
qemu
|
||||
packer
|
||||
|
|
@ -20078,7 +20119,6 @@ When setting up a new machine:
|
|||
govc
|
||||
terraform
|
||||
opentofu
|
||||
# dev.terragrunt
|
||||
terragrunt
|
||||
graphviz
|
||||
azure-cli
|
||||
|
|
@ -20123,7 +20163,6 @@ When setting up a new machine:
|
|||
};
|
||||
};
|
||||
|
||||
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly"
|
||||
udev.extraRules = ''
|
||||
# lock screen when yubikey removed
|
||||
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
||||
|
|
|
|||
|
|
@ -79,6 +79,7 @@ in
|
|||
personal = true;
|
||||
};
|
||||
|
||||
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
|
||||
# networking.nftables = {
|
||||
# enable = lib.mkForce false;
|
||||
# firewall.enable = lib.mkForce false;
|
||||
|
|
|
|||
|
|
@ -123,10 +123,42 @@ in
|
|||
};
|
||||
|
||||
|
||||
nftables = {
|
||||
firewall = {
|
||||
enable = lib.mkDefault true;
|
||||
trustedInterfaces = [ "virbr0" ];
|
||||
zones = {
|
||||
virbr = {
|
||||
interfaces = [ "virbr*" ];
|
||||
};
|
||||
};
|
||||
rules = {
|
||||
virbr-dns-dhcp = {
|
||||
from = [ "virbr" ];
|
||||
to = [ "local" ];
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 67 547 ];
|
||||
};
|
||||
virbr-forward = {
|
||||
from = [ "virbr" ];
|
||||
to = [ "untrusted" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
virbr-forward-return = {
|
||||
from = [ "untrusted" ];
|
||||
to = [ "virbr" ];
|
||||
extraLines = [
|
||||
"ct state { established, related } accept"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
chains.postrouting.libvirt-masq = {
|
||||
after = [ "dnat" ];
|
||||
rules = [
|
||||
"iifname \"virbr*\" masquerade"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
search = [
|
||||
"vbc.ac.at"
|
||||
"clip.vbc.ac.at"
|
||||
|
|
@ -134,6 +166,24 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
virtqemud.path = with pkgs; [
|
||||
qemu_kvm
|
||||
libvirt
|
||||
];
|
||||
|
||||
virtstoraged.path = with pkgs; [
|
||||
qemu_kvm
|
||||
libvirt
|
||||
];
|
||||
|
||||
virtnetworkd.path = with pkgs; [
|
||||
dnsmasq
|
||||
iproute2
|
||||
nftables
|
||||
];
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
||||
spiceUSBRedirection.enable = true;
|
||||
|
|
@ -144,22 +194,12 @@ in
|
|||
runAsRoot = true;
|
||||
swtpm.enable = true;
|
||||
vhostUserPackages = with pkgs; [ virtiofsd ];
|
||||
# ovmf = {
|
||||
# enable = true;
|
||||
# packages = [
|
||||
# (pkgs.OVMFFull.override {
|
||||
# secureBoot = true;
|
||||
# tpmSupport = true;
|
||||
# }).fd
|
||||
# ];
|
||||
# };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
remmina
|
||||
# gp-onsaml-gui
|
||||
python39
|
||||
qemu
|
||||
packer
|
||||
|
|
@ -168,7 +208,6 @@ in
|
|||
govc
|
||||
terraform
|
||||
opentofu
|
||||
# dev.terragrunt
|
||||
terragrunt
|
||||
graphviz
|
||||
azure-cli
|
||||
|
|
@ -213,7 +252,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly"
|
||||
udev.extraRules = ''
|
||||
# lock screen when yubikey removed
|
||||
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue