feat: add and enable virtualisation module (podman and libvirt)

hosts/andromedae/default.nix

@@ -133,6 +133,10 @@ in
     wal_recycle = "off";
   };
 
+  # ataraxia.virtualisation.docker = true;
+  ataraxia.virtualisation.libvirt = true;
+  ataraxia.virtualisation.podman = true;
+
   ataraxia.programs.corectrl.enable = true;
   ataraxia.programs.steam.enable = true;
   ataraxia.vpn.sing-box.enable = true;

modules/nixos/roles/default.nix

@@ -84,6 +84,8 @@ in
       serverRole = recursiveUpdate baseRole {
         ataraxia.profiles.hardened = mkDefault true;
         ataraxia.profiles.minimal = mkDefault true;
+        ataraxia.virtualisation.podman = mkDefault true;
+        ataraxia.virtualisation.libvirt = mkDefault true;
 
         time.timeZone = "Etc/UTC";
         zramSwap.memoryPercent = 100;
@@ -95,6 +97,8 @@ in
         ataraxia.wayland.enable = mkDefault true;
         ataraxia.wayland.hyprland.enable = mkDefault true;
 
+        programs.virt-manager.enable = config.ataraxia.virtualisation.libvirt;
+
         services.gvfs.enable = mkDefault true;
         # saved space, but you need to recompile gvfs
         services.gvfs.package = (

modules/nixos/virtualisation/virtualisation.nix

@@ -0,0 +1,110 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    hasAttr
+    mkEnableOption
+    mkIf
+    optionals
+    ;
+  cfg = config.ataraxia.virtualisation;
+
+  defaultUser = config.ataraxia.defaults.users.defaultUser;
+in
+{
+  options.ataraxia.virtualisation = {
+    docker = mkEnableOption "Enable docker";
+    libvirt = mkEnableOption "Enable libvirt";
+    podman = mkEnableOption "Enable podman";
+  };
+
+  config = mkIf (cfg.docker || cfg.libvirt || cfg.podman) {
+    virtualisation = {
+      oci-containers.backend = if (!cfg.podman && cfg.docker) then "docker" else "podman";
+      docker = {
+        enable = cfg.docker;
+        daemon.settings = {
+          features = {
+            buildkit = true;
+          };
+        };
+        storageDriver = "overlay2";
+      };
+      podman = {
+        enable = cfg.podman;
+        defaultNetwork.settings.dns_enabled = true;
+        dockerSocket.enable = !config.virtualisation.docker.enable;
+      };
+      containers.registries.search = [
+        "docker.io"
+        "ghcr.io"
+        "quay.io"
+      ];
+      containers.storage.settings = {
+        storage = {
+          driver = "overlay";
+          graphroot = "/var/lib/containers/storage";
+          runroot = "/run/containers/storage";
+        };
+      };
+      libvirtd = {
+        enable = cfg.libvirt;
+        qemu = {
+          ovmf.enable = true;
+          ovmf.packages = [
+            (pkgs.OVMFFull.override {
+              secureBoot = true;
+              tpmSupport = true;
+            }).fd
+          ];
+          runAsRoot = false;
+          swtpm.enable = true;
+        };
+        onBoot = "ignore";
+        onShutdown = "shutdown";
+      };
+
+      spiceUSBRedirection.enable = cfg.libvirt;
+    };
+
+    environment.systemPackages =
+      [ ]
+      ++ optionals cfg.docker [ pkgs.docker-compose ]
+      ++ optionals cfg.libvirt [ pkgs.virtiofsd ]
+      ++ optionals cfg.podman [ pkgs.podman-compose ];
+
+    users.users."qemu-libvirtd" = mkIf cfg.libvirt {
+      extraGroups = lib.optionals (!config.virtualisation.libvirtd.qemu.runAsRoot) [
+        "kvm"
+        "input"
+      ];
+    };
+
+    security.unprivilegedUsernsClone = true;
+
+    persist.state.directories = [
+      "/var/lib/docker"
+      "/var/lib/libvirt"
+      "/var/lib/containers"
+    ];
+
+    home-manager = mkIf (hasAttr "users" config.home-manager) {
+      users.${defaultUser} = {
+        home.file.".config/containers/storage.conf".text = ''
+          [storage]
+          driver = "overlay"
+        '';
+        home.file.".config/libvirt/libvirt.conf".text = ''
+          uri_default = "qemu:///system"
+        '';
+        persist.state.directories = [
+          ".config/containers"
+        ];
+      };
+    };
+  };
+}