diff --git a/hosts/kima/modules.nix b/hosts/kima/modules.nix index 578fed24..9f04a42d 100644 --- a/hosts/kima/modules.nix +++ b/hosts/kima/modules.nix @@ -171,6 +171,9 @@ kanata = { enable = true; }; + libvirtd = { + enable = true; + }; locate = { enable = true; }; diff --git a/modules/default.nix b/modules/default.nix index 5ff49992..5c217a00 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -97,8 +97,10 @@ ./nixos/services/greetd ./nixos/services/gvfs ./nixos/services/kanata + ./nixos/services/libvirtd ./nixos/services/locate ./nixos/services/mullvad + ./nixos/services/mullvad-netns ./nixos/services/nfs ./nixos/services/nix-ld ./nixos/services/openssh diff --git a/modules/nixos/programs/niri/default.nix b/modules/nixos/programs/niri/default.nix index 41b37785..b10c6576 100644 --- a/modules/nixos/programs/niri/default.nix +++ b/modules/nixos/programs/niri/default.nix @@ -15,6 +15,9 @@ in }; config = mkIf cfg.enable { nixpkgs.overlays = [ inputs.niri.overlays.niri ]; + environment.systemPackages = with pkgs; [ + xwayland-satellite-unstable + ]; systemd.user.services.niri-flake-polkit.enable = false; programs.niri = { enable = true; diff --git a/modules/nixos/services/libvirtd/default.nix b/modules/nixos/services/libvirtd/default.nix new file mode 100644 index 00000000..4118f847 --- /dev/null +++ b/modules/nixos/services/libvirtd/default.nix @@ -0,0 +1,38 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (lib) mkIf mkEnableOption; + cfg = config.nixos.services.libvirtd; +in +{ + options = { + nixos.services.libvirtd.enable = mkEnableOption "Enables libvirtd"; + }; + + config = mkIf cfg.enable { + networking.firewall.trustedInterfaces = [ "virbr0" ]; + environment.systemPackages = with pkgs; [ + virt-manager + virt-viewer + ]; + + virtualisation = { + kvmgt.enable = true; + spiceUSBRedirection.enable = true; + libvirtd = { + enable = true; + onShutdown = "shutdown"; + qemu = { + ovmf = { + enable = true; + packages = [ pkgs.OVMFFull.fd ]; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/mullvad-netns/default.nix b/modules/nixos/services/mullvad-netns/default.nix new file mode 100644 index 00000000..f72bbcef --- /dev/null +++ b/modules/nixos/services/mullvad-netns/default.nix @@ -0,0 +1,50 @@ +{ self, pkgs, ... }: +{ + age.secrets.wgCredentials = { + file = "${self}/secrets/wgCredentials.age"; + mode = "0400"; + owner = "root"; + group = "root"; + path = "/etc/wireguard/mullvad.conf"; + }; + + systemd.services.mullvad-netns = { + description = "WireGuard Mullvad netns for VMs"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" '' + set -euo pipefail + + ip netns add mullvad || true + + ip link add veth0 type veth peer name veth1 || true + ip link set veth1 netns mullvad + ip addr add 10.250.0.1/24 dev veth0 || true + ip link set veth0 up + ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true + ip netns exec mullvad ip link set veth1 up + + ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf + ip netns exec mullvad ip route add default dev wg0 || true + + nft add table ip mullvad-nat || true + nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true + nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true + ''}"; + + ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" '' + set -euo pipefail + + ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true + ip link delete veth0 || true + ip netns delete mullvad || true + nft delete table ip mullvad-nat || true + ''}"; + }; + + # no wantedBy here -> won't start at boot + }; +}