feat(libvirtd): adding virtualisation

hosts/kima/modules.nix

@@ -171,6 +171,9 @@
       kanata = {
         enable = true;
       };
+      libvirtd = {
+        enable = true;
+      };
       locate = {
         enable = true;
       };

modules/default.nix

@@ -97,8 +97,10 @@
         ./nixos/services/greetd
         ./nixos/services/gvfs
         ./nixos/services/kanata
+        ./nixos/services/libvirtd
         ./nixos/services/locate
         ./nixos/services/mullvad
+        ./nixos/services/mullvad-netns
         ./nixos/services/nfs
         ./nixos/services/nix-ld
         ./nixos/services/openssh

modules/nixos/programs/niri/default.nix

@@ -15,6 +15,9 @@ in
   };
   config = mkIf cfg.enable {
     nixpkgs.overlays = [ inputs.niri.overlays.niri ];
+    environment.systemPackages = with pkgs; [
+      xwayland-satellite-unstable
+    ];
     systemd.user.services.niri-flake-polkit.enable = false;
     programs.niri = {
       enable = true;

modules/nixos/services/libvirtd/default.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.nixos.services.libvirtd;
+in
+{
+  options = {
+    nixos.services.libvirtd.enable = mkEnableOption "Enables libvirtd";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.trustedInterfaces = [ "virbr0" ];
+    environment.systemPackages = with pkgs; [
+      virt-manager
+      virt-viewer
+    ];
+
+    virtualisation = {
+      kvmgt.enable = true;
+      spiceUSBRedirection.enable = true;
+      libvirtd = {
+        enable = true;
+        onShutdown = "shutdown";
+        qemu = {
+          ovmf = {
+            enable = true;
+            packages = [ pkgs.OVMFFull.fd ];
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/services/mullvad-netns/default.nix

@@ -0,0 +1,50 @@
+{ self, pkgs, ... }:
+{
+  age.secrets.wgCredentials = {
+    file = "${self}/secrets/wgCredentials.age";
+    mode = "0400";
+    owner = "root";
+    group = "root";
+    path = "/etc/wireguard/mullvad.conf";
+  };
+
+  systemd.services.mullvad-netns = {
+    description = "WireGuard Mullvad netns for VMs";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+
+      ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" ''
+        set -euo pipefail
+
+        ip netns add mullvad || true
+
+        ip link add veth0 type veth peer name veth1 || true
+        ip link set veth1 netns mullvad
+        ip addr add 10.250.0.1/24 dev veth0 || true
+        ip link set veth0 up
+        ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true
+        ip netns exec mullvad ip link set veth1 up
+
+        ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf
+        ip netns exec mullvad ip route add default dev wg0 || true
+
+        nft add table ip mullvad-nat || true
+        nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true
+        nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true
+      ''}";
+
+      ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" ''
+        set -euo pipefail
+
+        ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true
+        ip link delete veth0 || true
+        ip netns delete mullvad || true
+        nft delete table ip mullvad-nat || true
+      ''}";
+    };
+
+    # no wantedBy here -> won't start at boot
+  };
+}