chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:19:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

modules.services.nixvirt: vnc use tls

Browse Source
This commit is contained in:
陈浩南
2025-05-02 20:46:34 +08:00
parent fc78f269e9
commit 015ae9d3a5
2 changed files with 51 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devices/srv3/default.nix
View File

@@ -33,7 +33,7 @@ inputs:
# 大部分空间用于存储虚拟机nodatacow其它内容不多
beesd."/".hashTableSizeMB = 32;
sshd = {};
nixvirt =
nixvirt.instance =
{
test = { memoryGB = 8; cpus = 4; address = 2; owner = "chn"; };
};

78
modules/services/nixvirt.nix
View File

@@ -2,27 +2,35 @@ inputs:
{
options.nixos.services.nixvirt = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.attrsOf (types.submodule (submoduleInputs: { options =
let
hash = builtins.hashString "sha256" submoduleInputs.config._module.args.name;
createString = separator: parts: builtins.concatStringsSep separator
(builtins.map (p: builtins.substring (builtins.head p) (builtins.elemAt p 1) hash) parts);
in
type = types.nullOr (types.submodule { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = "phj.chn.moe"; };
instance = mkOption
{
uuid = mkOption
{
type = types.nonEmptyStr;
default = createString "-" [ [ 0 8 ] [ 8 4 ] [ 12 4 ] [ 16 4 ] [ 20 12 ] ];
};
storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
memoryGB = mkOption { type = types.ints.unsigned; };
cpus = mkOption { type = types.ints.unsigned; };
vncPort = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.address; };
mac = mkOption
{ type = types.nonEmptyStr; default = "02:${createString ":" [ [ 0 2 ] [ 2 2 ] [ 4 2 ] [ 6 2 ] [ 8 2 ] ]}"; };
address = mkOption { type = types.ints.unsigned; };
owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
};})));
type = types.attrsOf (types.submodule (submoduleInputs: { options =
let
hash = builtins.hashString "sha256" submoduleInputs.config._module.args.name;
createString = separator: parts: builtins.concatStringsSep separator
(builtins.map (p: builtins.substring (builtins.head p) (builtins.elemAt p 1) hash) parts);
in
{
uuid = mkOption
{
type = types.nonEmptyStr;
default = createString "-" [ [ 0 8 ] [ 8 4 ] [ 12 4 ] [ 16 4 ] [ 20 12 ] ];
};
storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
memoryGB = mkOption { type = types.ints.unsigned; };
cpus = mkOption { type = types.ints.unsigned; };
vncPort = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.address; };
mac = mkOption
{ type = types.nonEmptyStr; default = "02:${createString ":" [ [ 0 2 ] [ 2 2 ] [ 4 2 ] [ 6 2 ] [ 8 2 ] ]}"; };
address = mkOption { type = types.ints.unsigned; };
owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
};}));
default = {};
};
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) nixvirt; in inputs.lib.mkIf (nixvirt != null)
@@ -37,7 +45,7 @@ inputs:
{
domains = builtins.map
(vm: { definition = inputs.config.sops.templates."${vm.name}.xml".path; active = true; })
(inputs.localLib.attrsToList nixvirt);
(inputs.localLib.attrsToList nixvirt.instance);
networks =
[{
definition =
@@ -46,7 +54,7 @@ inputs:
{ uuid = "8f403474-f8d6-4fa7-991a-f62f40d51191"; subnet_byte = 122; };
host = builtins.map
(vm: { inherit (vm) mac; ip = "192.168.122.${builtins.toString vm.address}"; })
(builtins.attrValues nixvirt);
(builtins.attrValues nixvirt.instance);
in lib.network.writeXML (base // { ip = base.ip // { dhcp = base.ip.dhcp // { inherit host; }; }; });
active = true;
}];
@@ -68,9 +76,16 @@ inputs:
''
namespaces = []
vnc_listen = "0.0.0.0"
vnc_tls = 1
vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
default_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
'';
};
nixos.services.kvm = {};
nixos.services =
{
kvm = {};
acme.cert."${nixvirt.hostname}".group = "qemu-libvirtd";
};
sops =
{
templates = builtins.listToAttrs (builtins.map
@@ -109,11 +124,12 @@ inputs:
vcpu = { placement = "static"; count = vm.value.cpus; };
});
})
(inputs.localLib.attrsToList nixvirt));
(inputs.localLib.attrsToList nixvirt.instance));
secrets = builtins.listToAttrs (builtins.map
(vm: { name = "nixvirt/${vm}"; value = {}; }) (builtins.attrNames nixvirt));
(vm: { name = "nixvirt/${vm}"; value = {}; }) (builtins.attrNames nixvirt.instance));
placeholder = builtins.listToAttrs (builtins.map
(vm: { name = "nixvirt/${vm}"; value = builtins.hashString "sha256" vm; }) (builtins.attrNames nixvirt));
(vm: { name = "nixvirt/${vm}"; value = builtins.hashString "sha256" vm; })
(builtins.attrNames nixvirt.instance));
};
security.wrappers.vm =
{
@@ -124,7 +140,7 @@ inputs:
({
virsh = "${inputs.pkgs.libvirt}/bin/virsh";
vm =
let vms = builtins.groupBy (vm: vm.value.owner) (inputs.localLib.attrsToList nixvirt);
let vms = builtins.groupBy (vm: vm.value.owner) (inputs.localLib.attrsToList nixvirt.instance);
in builtins.listToAttrs (builtins.map (owner:
{
name = builtins.toString inputs.config.nixos.user.uid.${owner.name};
@@ -139,6 +155,12 @@ inputs:
group = "root";
setuid = true;
};
networking.firewall.allowedTCPPorts = builtins.map (vm: vm.vncPort) (builtins.attrValues nixvirt);
networking.firewall.allowedTCPPorts = builtins.map (vm: vm.vncPort) (builtins.attrValues nixvirt.instance);
environment.etc = let dir = inputs.config.security.acme.certs."${nixvirt.hostname}".directory; in
{
"pki/libvirt-vnc/ca-cert.pem".source = "${dir}/chain.pem";
"pki/libvirt-vnc/server-cert.pem".source = "${dir}/full.pem";
"pki/libvirt-vnc/server-key.pem".source = "${dir}/key.pem";
};
};
}