diff --git a/hosts/andromedae/default.nix b/hosts/andromedae/default.nix index 4598354..9ef13be 100644 --- a/hosts/andromedae/default.nix +++ b/hosts/andromedae/default.nix @@ -133,6 +133,10 @@ in wal_recycle = "off"; }; + # ataraxia.virtualisation.docker = true; + ataraxia.virtualisation.libvirt = true; + ataraxia.virtualisation.podman = true; + ataraxia.programs.corectrl.enable = true; ataraxia.programs.steam.enable = true; ataraxia.vpn.sing-box.enable = true; diff --git a/modules/nixos/roles/default.nix b/modules/nixos/roles/default.nix index 7377097..072f6e7 100644 --- a/modules/nixos/roles/default.nix +++ b/modules/nixos/roles/default.nix @@ -84,6 +84,8 @@ in serverRole = recursiveUpdate baseRole { ataraxia.profiles.hardened = mkDefault true; ataraxia.profiles.minimal = mkDefault true; + ataraxia.virtualisation.podman = mkDefault true; + ataraxia.virtualisation.libvirt = mkDefault true; time.timeZone = "Etc/UTC"; zramSwap.memoryPercent = 100; @@ -95,6 +97,8 @@ in ataraxia.wayland.enable = mkDefault true; ataraxia.wayland.hyprland.enable = mkDefault true; + programs.virt-manager.enable = config.ataraxia.virtualisation.libvirt; + services.gvfs.enable = mkDefault true; # saved space, but you need to recompile gvfs services.gvfs.package = ( diff --git a/modules/nixos/virtualisation/virtualisation.nix b/modules/nixos/virtualisation/virtualisation.nix new file mode 100644 index 0000000..a1be334 --- /dev/null +++ b/modules/nixos/virtualisation/virtualisation.nix @@ -0,0 +1,110 @@ +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) + hasAttr + mkEnableOption + mkIf + optionals + ; + cfg = config.ataraxia.virtualisation; + + defaultUser = config.ataraxia.defaults.users.defaultUser; +in +{ + options.ataraxia.virtualisation = { + docker = mkEnableOption "Enable docker"; + libvirt = mkEnableOption "Enable libvirt"; + podman = mkEnableOption "Enable podman"; + }; + + config = mkIf (cfg.docker || cfg.libvirt || cfg.podman) { + virtualisation = { + oci-containers.backend = if (!cfg.podman && cfg.docker) then "docker" else "podman"; + docker = { + enable = cfg.docker; + daemon.settings = { + features = { + buildkit = true; + }; + }; + storageDriver = "overlay2"; + }; + podman = { + enable = cfg.podman; + defaultNetwork.settings.dns_enabled = true; + dockerSocket.enable = !config.virtualisation.docker.enable; + }; + containers.registries.search = [ + "docker.io" + "ghcr.io" + "quay.io" + ]; + containers.storage.settings = { + storage = { + driver = "overlay"; + graphroot = "/var/lib/containers/storage"; + runroot = "/run/containers/storage"; + }; + }; + libvirtd = { + enable = cfg.libvirt; + qemu = { + ovmf.enable = true; + ovmf.packages = [ + (pkgs.OVMFFull.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; + runAsRoot = false; + swtpm.enable = true; + }; + onBoot = "ignore"; + onShutdown = "shutdown"; + }; + + spiceUSBRedirection.enable = cfg.libvirt; + }; + + environment.systemPackages = + [ ] + ++ optionals cfg.docker [ pkgs.docker-compose ] + ++ optionals cfg.libvirt [ pkgs.virtiofsd ] + ++ optionals cfg.podman [ pkgs.podman-compose ]; + + users.users."qemu-libvirtd" = mkIf cfg.libvirt { + extraGroups = lib.optionals (!config.virtualisation.libvirtd.qemu.runAsRoot) [ + "kvm" + "input" + ]; + }; + + security.unprivilegedUsernsClone = true; + + persist.state.directories = [ + "/var/lib/docker" + "/var/lib/libvirt" + "/var/lib/containers" + ]; + + home-manager = mkIf (hasAttr "users" config.home-manager) { + users.${defaultUser} = { + home.file.".config/containers/storage.conf".text = '' + [storage] + driver = "overlay" + ''; + home.file.".config/libvirt/libvirt.conf".text = '' + uri_default = "qemu:///system" + ''; + persist.state.directories = [ + ".config/containers" + ]; + }; + }; + }; +}