From 663c21495b82beb5726892a8c089b206aeff7b62 Mon Sep 17 00:00:00 2001 From: Adrian G Lauterer Date: Sat, 26 Oct 2024 15:17:38 +0200 Subject: [PATCH] nixvirt opnsense gandalf --- flake.nix | 152 +++++--------------- machines/gandalf/bootvm.sh | 15 ++ machines/gandalf/configuration.nix | 78 +--------- machines/gandalf/hardware-configuration.nix | 25 ++-- machines/gandalf/text.md | 2 + services/virt.nix | 32 +++++ 6 files changed, 108 insertions(+), 196 deletions(-) create mode 100755 machines/gandalf/bootvm.sh create mode 100644 machines/gandalf/text.md create mode 100644 services/virt.nix diff --git a/flake.nix b/flake.nix index f9f5c07..3a281b6 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,9 @@ # stylix.inputs.nixpkgs.follows = "nixpkgs"; # stylix.inputs.home-manager.follows = "home-manager"; + NixVirt.url = "https://flakehub.com/f/AshleyYakeley/NixVirt/*.tar.gz"; + NixVirt.inputs.nixpkgs.follows = "nixpkgs"; + ozai.url = "git+https://git.pvv.ntnu.no/Projects/ozai.git"; ozai.inputs.nixpkgs.follows = "unstable"; @@ -43,6 +46,7 @@ , nixpkgs , sops-nix , nixos-hardware + , NixVirt , unstable , ... }@inputs: let @@ -113,9 +117,43 @@ inherit inputs; }; modules = [ + NixVirt.nixosModules.default ./machines/gandalf/configuration.nix ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) sops-nix.nixosModules.sops + + ({ config, pkgs, ... }: { + # Your VM configuration here + virtualisation.libvirt.enable = true; + virtualisation.libvirt.connections."qemu:///system".domains = [ + { + definition = NixVirt.lib.domain.writeXML (NixVirt.lib.domain.templates.q35 { + name = "gandalf-grey"; + uuid = "a1db010b-4ad3-436a-bd99-f290f5ac8806"; # Replace with a generated UUID + memory = { count = 4; unit = "GiB"; }; + vcpu = { value = 2; }; # Number of CPU cores + storage_vol = "/vm-images/OPNsense-24.7-nano-amd64.img"; # Path to your storage image file + install_vol = null; # No installation volume since we're using an existing image + virtio_net = true; + virtio_video = true; + virtio_drive = true; + devices = [ + { hostdev = "/sys/bus/pci/devices/0000:04:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:05:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:06:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:07:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:08:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:0b:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:0b:00.1"; } + { hostdev = "/sys/bus/pci/devices/0000:0c:00.0"; } + { hostdev = "/sys/bus/pci/devices/0000:0c:00.1"; } + ]; + }); + active = true; + } + ]; + }) + ]; }; @@ -146,117 +184,3 @@ } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/machines/gandalf/bootvm.sh b/machines/gandalf/bootvm.sh new file mode 100755 index 0000000..3e7cbee --- /dev/null +++ b/machines/gandalf/bootvm.sh @@ -0,0 +1,15 @@ +qemu-system-x86_64 \ + -m 4G \ + -cpu host \ + -smp 2 \ + -enable-kvm \ + -device vfio-pci,host=04:00.0 \ + -device vfio-pci,host=05:00.0 \ + -drive file=/vm-images/OPNsense-24.7-nano-amd64.img,format=raw \ + -vga virtio \ + -netdev user,id=net0 -device virtio-net,netdev=net0 \ + -daemonize \ + -vnc + +#-nographic \ +#-net none diff --git a/machines/gandalf/configuration.nix b/machines/gandalf/configuration.nix index 1d0e09d..6e8a3fb 100644 --- a/machines/gandalf/configuration.nix +++ b/machines/gandalf/configuration.nix @@ -8,6 +8,8 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ../../profiles/base.nix + ../../services/virt.nix + # ./nixvirt.nix ]; # Use the systemd-boot EFI boot loader. @@ -15,18 +17,15 @@ boot.loader.efi.canTouchEfiVariables = true; - # Pick only one of the below networking options. #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. - # networking.useDHCP = true; - networking.interfaces.wlp3s0f0.useDHCP = true; # Interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. + # networking.useDHCP = true; + networking.interfaces.wlp3s0f0.useDHCP = true; # Interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. networking.hostName = "gandalf"; # Define your hostname. boot.kernel.sysctl = { @@ -50,75 +49,8 @@ }; -#sequrity managment through kanidm -# systemd.services.kanidm = let -# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; -# in { -# requires = [ "acme-finished-${certName}.target" ]; -# serviceConfig.LoadCredential = let -# certDir = config.security.acme.certs.${certName}.directory; -# in [ -# "fullchain.pem:${certDir}/fullchain.pem" -# "key.pem:${certDir}/key.pem" -# ]; -# }; -# -# services.kanidm = { -# enableServer = true; -# #enablePam = true; -# serverSettings = let -# credsDir = "/run/credentials/kanidm.service"; -# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable -# in { -# origin = "https://${config.services.kanidm.serverSettings.domain}"; -# domain = "auth.${config.networking.domain}"; -# tls_chain = "${credsDir}/fullchain.pem"; -# tls_key = "${credsDir}/key.pem"; -# bindaddress = "localhost:8300"; -# }; -# -# clientSettings = { -# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool -# uri = "${config.services.kanidm.serverSettings.bindaddress}"; -# verify_ca = true; -# verify_hostnames = true; -# }; - # }; -# -# #environment = { -# # etc."kanidm/config".text = '' -# # uri="https://auth.${config.networking.domain}" -# # ''; -# #}; -#vpn stuff -# #need to run at fresh install to create namespace: headscale namespaces create -# services.headscale = { -# enable = true; -# user = "headscale"; -# address = "127.0.0.1"; -# port = 8080; -# settings = { -# logtail.enabled = false; -# metrics_listen_addr = "127.0.0.1:9090"; -# server_url = "https://${"vpn."+config.networking.domain}"; -# dns_config = { -# base_domain = "${config.networking.domain}"; -# magic_dns = true; -# nameservers = [ -# "1.1.1.1" -# ]; -# }; -# -# ##should really implement with fex github and kanidm -# #oidc = { -# # issuer = "{config.services.kanidm.serverSettings.origin}"; -# # allowed_domains = Domains; -# #}; -# }; -# }; - users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" ]; @@ -149,6 +81,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? + system.stateVersion = "24.05"; # Did you read the comment? } diff --git a/machines/gandalf/hardware-configuration.nix b/machines/gandalf/hardware-configuration.nix index ed5efd7..9a57245 100644 --- a/machines/gandalf/hardware-configuration.nix +++ b/machines/gandalf/hardware-configuration.nix @@ -8,24 +8,31 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.kernelParams = [ "intel_iommu=on" "iommu=pt" ]; + boot.kernelModules = [ "kvm-intel" "vfio_pci" "drm" "drm_kms_helper"]; boot.extraModulePackages = [ ]; + boot.extraModprobeConfig = '' + options vfio-pci ids=8086:125c,8086:15c4 + ''; fileSystems."/" = - { device = "/dev/disk/by-uuid/a7b19945-9e59-4684-be34-1fd756239c55"; + { device = "/dev/disk/by-uuid/a12c97d6-8cbb-4853-8642-ba8760a43584"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/B2B1-2206"; + { device = "/dev/disk/by-uuid/5526-5FF3"; fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/e2235b7c-f801-4c75-8d9e-15861c4b7e50"; } - ]; + + fileSystems."/vm-images" = + { device = "/dev/disk/by-uuid/4f4505c3-8942-4767-b7f2-b27087aa9ec1"; + fsType = "ext4"; + }; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -36,12 +43,12 @@ # networking.interfaces.eno2.useDHCP = lib.mkDefault true; # networking.interfaces.eno3.useDHCP = lib.mkDefault true; # networking.interfaces.eno4.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s21u2.useDHCP = lib.mkDefault true; # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0f0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/machines/gandalf/text.md b/machines/gandalf/text.md new file mode 100644 index 0000000..1639edb --- /dev/null +++ b/machines/gandalf/text.md @@ -0,0 +1,2 @@ +qemu-img create -f qcow2 /vm-images/opnsense.qcow2 20G + diff --git a/services/virt.nix b/services/virt.nix new file mode 100644 index 0000000..4516cdb --- /dev/null +++ b/services/virt.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: +{ + + # Enable libvirt and QEMU + virtualisation.libvirtd.enable = true; + virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm; + + boot.kernelModules = [ "kvm-intel" "vfio_pci" "drm" "drm_kms_helper"]; + + # Add the relevant packages for virtualization, including secure boot and TPM support + virtualisation.libvirtd.qemu = { + runAsRoot = true; + swtpm.enable = true; + ovmf = { + enable = true; + packages = [(pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }).fd]; + }; + }; + + # Add your user to the libvirt group to allow managing VMs without sudo + users.users.gunalx.extraGroups = [ "libvirtd" ]; + + # Enable nested virtualization if needed + boot.extraModprobeConfig = "options kvm_intel nested=1"; + + # (Optional) Enable the virt-manager graphical tool for managing VMs + programs.virt-manager.enable = true; + +}