virtualisation: fix firewall and secureboot

gpu passthrough wann?
This commit is contained in:
Rouven Seifert 2023-12-27 22:55:40 +01:00
parent f7c8b70950
commit 8a6f689e6a
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09

View file

@ -1,96 +1,26 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
# Virtualisation with gpu passthrough
# Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/
# let
# gpuHook = pkgs.writeShellScript "gpuhook.sh" ''
# export PATH=$PATH:${lib.makeBinPath [pkgs.pciutils pkgs.kmod pkgs.psmisc pkgs.systemd pkgs.coreutils]}
# gpu_domains=(
# win11
# )
# function gpu_begin {
# set -x
# device=$(lspci -nnD | grep "VGA compatible controller" | grep Intel)
# # Stop display manager
# systemctl stop greetd.service
# # Unbind vtconsole
# for i in /sys/class/vtconsole/*/bind; do
# echo 0 > "$i"
# done
# # Kill pulseaudio
# killall pipewire
# killall pipewire-pulse
# # Unbind GPU
# echo "$device" | cut -d' ' -f1 > /sys/module/i915/drivers/pci:i915/unbind
# # Unload modules
# rmmod snd_hda_intel
# rmmod i915
# # Load vfio
# modprobe vfio-pci ids="$(echo "$device" | grep -o 8086:....)"
# }
# function gpu_end {
# set -x
# # Unload vfio
# rmmod vfio_pci
# # Load modules
# modprobe snd_hda_intel
# modprobe i915
# # Rebind vtconsole
# for i in /sys/class/vtconsole/*/bind; do
# echo 1 > "$i"
# done
# # Start display manager
# systemctl start greetd.service
# }
# # Run only for gpu_domains
# for d in "''${gpu_domains[@]}"; do
# [ "$d" = "$1" ] && gpu_domain=true
# done
# if [ "$gpu_domain" = true ]; then
# [ "$2" = prepare ] && [ "$3" = begin ] && gpu_begin
# [ "$2" = release ] && [ "$3" = end ] && gpu_end
# fi
# true
# '';
# in
{ {
# boot.kernelParams = [ "intel_iommu=on" ];
virtualisation = { virtualisation = {
libvirtd = { libvirtd = {
enable = true; enable = true;
qemu = { qemu = {
runAsRoot = false; runAsRoot = false;
swtpm.enable = true;
ovmf.packages = [
(pkgs.OVMF.override ({
tpmSupport = true;
secureBoot =
true;
})).fd
];
}; };
}; };
spiceUSBRedirection.enable = true; spiceUSBRedirection.enable = true;
}; };
# allow libvirts internal network stuff
# fix to enable secure boot in vms networking.firewall.trustedInterfaces = [ "virbr0" ];
environment.etc = { programs.virt-manager.enable = true;
"ovmf/edk2-x86_64-secure-code.fd" = {
source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
};
"ovmf/edk2-i386-vars.fd" = {
source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
mode = "0644";
user = "libvirtd";
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
virt-viewer virt-viewer
]; ];
# systemd.services.libvirtd.preStart =
# ''
# mkdir -p /var/lib/libvirt/hooks
# chmod 755 /var/lib/libvirt/hooks
# # Copy hook files
# cp -f ${gpuHook} /var/lib/libvirt/hooks/qemu
# # Make them executable
# chmod +x /var/lib/libvirt/hooks/qemu
# '';
} }