initial commit

2026-02-23 20:34:35 +01:00 · 2026-02-23 20:34:35 +01:00 · 95a533c876
commit 95a533c876
451 changed files with 18255 additions and 0 deletions
--- a/modules/nixos/virtualisation/default.nix
+++ b/modules/nixos/virtualisation/default.nix
@ -0,0 +1,92 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.virtualisation;
+
+  boolToZeroOne = x: if x then "1" else "0";
+
+  aclString = strings.concatMapStringsSep ''
+    ,
+  '' strings.escapeNixString cfg.libvirtd.deviceACL;
+
+  inherit (lib)
+    mkDefault
+    mkOption
+    optionalString
+    optionals
+    strings
+    types
+    ;
+in
+{
+  imports = [
+    ./hugepages.nix
+    ./kvmfr.nix
+    ./quickemu.nix
+    ./vfio.nix
+  ];
+
+  options.virtualisation = {
+    libvirtd = {
+      deviceACL = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        example = [
+          "/dev/kvm"
+          "/dev/net/tun"
+          "/dev/vfio/vfio"
+        ];
+        description = "List of device paths that QEMU processes are allowed to access.";
+      };
+
+      clearEmulationCapabilities = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to remove privileged Linux capabilities from QEMU processes after they start.";
+      };
+    };
+  };
+
+  config = {
+    virtualisation = {
+      libvirtd = {
+        enable = mkDefault true;
+        onBoot = mkDefault "ignore";
+        onShutdown = mkDefault "shutdown";
+        qemu.runAsRoot = mkDefault false;
+        qemu.verbatimConfig = ''
+          clear_emulation_capabilities = ${boolToZeroOne cfg.libvirtd.clearEmulationCapabilities}
+        ''
+        + optionalString (cfg.libvirtd.deviceACL != [ ]) ''
+          cgroup_device_acl = [
+            ${aclString}
+          ]
+        '';
+        qemu.swtpm.enable = mkDefault true; # TPM 2.0
+      };
+      spiceUSBRedirection.enable = mkDefault true;
+    };
+
+    users.users."qemu-libvirtd" = {
+      extraGroups = optionals (!cfg.libvirtd.qemu.runAsRoot) [
+        "kvm"
+        "input"
+      ];
+      isSystemUser = true;
+    };
+
+    programs.virt-manager.enable = mkDefault true;
+
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "iommu-groups" (builtins.readFile ./iommu-groups.sh))
+      pkgs.dnsmasq
+      pkgs.qemu_full
+      pkgs.virtio-win
+    ];
+  };
+}