wip

2026-03-02 16:35:14 +01:00
parent d182532b34
commit a511c65d84
17 changed files with 741 additions and 52 deletions
--- a/modules/nixos/aarch64-vm.nix
+++ b/modules/nixos/aarch64-vm.nix
@@ -0,0 +1,14 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    aarch64-vm.enable = lib.mkEnableOption "aarch64 virtualisation support";
+  };
+
+  config = lib.mkIf config.aarch64-vm.enable {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  };
+}
--- a/modules/nixos/seed-ssh.nix
+++ b/modules/nixos/seed-ssh.nix
@@ -0,0 +1,69 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    seed-ssh = {
+      enable = lib.mkEnableOption "SSH key injection from seed ISO";
+
+      user = lib.mkOption {
+        type = lib.types.str;
+        description = "user to install authorized_keys for";
+      };
+
+      label = lib.mkOption {
+        type = lib.types.str;
+        default = "SEEDCONFIG";
+        description = "volume label of the seed ISO";
+      };
+    };
+  };
+
+  config = lib.mkIf config.seed-ssh.enable {
+    systemd.services.seed-ssh = {
+      description = "Install SSH authorized_keys from seed ISO";
+      after = [
+        "local-fs.target"
+        "nss-user-lookup.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart =
+          let
+            cfg = config.seed-ssh;
+            inherit (cfg) user;
+            inherit (config.users.users.${user}) home group;
+          in
+          pkgs.writeShellScript "seed-ssh" ''
+            # try by-label first, then scan block devices for the volume label
+            DEVICE="/dev/disk/by-label/${cfg.label}"
+            if [ ! -e "$DEVICE" ]; then
+              DEVICE=$(${pkgs.util-linux}/bin/blkid -t LABEL="${cfg.label}" -o device | head -1)
+            fi
+
+            if [ -z "$DEVICE" ] || [ ! -e "$DEVICE" ]; then
+              echo "seed ISO not found, skipping"
+              exit 0
+            fi
+
+            MOUNT=$(mktemp -d)
+            ${pkgs.util-linux}/bin/mount -o ro "$DEVICE" "$MOUNT"
+
+            mkdir -p "${home}/.ssh"
+            cp "$MOUNT/authorized_keys" "${home}/.ssh/authorized_keys"
+            chmod 700 "${home}/.ssh"
+            chmod 600 "${home}/.ssh/authorized_keys"
+            chown -R ${user}:${group} "${home}/.ssh"
+
+            ${pkgs.util-linux}/bin/umount "$MOUNT"
+            rmdir "$MOUNT"
+          '';
+      };
+    };
+  };
+}
--- a/modules/nixos/vm-guest.nix
+++ b/modules/nixos/vm-guest.nix
@@ -0,0 +1,62 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+
+  options = {
+    vm-guest = {
+      enable = lib.mkEnableOption "VM guest configuration";
+      headless = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "run without display, serial console only";
+      };
+    };
+  };
+
+  config = lib.mkIf config.vm-guest.enable {
+    services.qemuGuest.enable = true;
+    services.spice-vdagentd.enable = lib.mkIf (!config.vm-guest.headless) true;
+
+    boot.kernelParams = lib.mkIf config.vm-guest.headless [ "console=ttyS0,115200" ];
+
+    # 9p for host file mounting
+    boot.initrd.availableKernelModules = [
+      "9p"
+      "9pnet_virtio"
+    ];
+    boot.kernelModules = [
+      "9p"
+      "9pnet_virtio"
+    ];
+
+    # ssh with agent forwarding for git and hot-mount
+    services.openssh = {
+      enable = true;
+      ports = [ 22 ];
+      settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        AllowAgentForwarding = true;
+        StreamLocalBindUnlink = "yes";
+      };
+    };
+
+    networking = {
+      useDHCP = true;
+      firewall.allowedTCPPorts = [ 22 ];
+    };
+
+    security.sudo.wheelNeedsPassword = false;
+
+    environment.systemPackages = with pkgs; [
+      curl
+      wget
+      htop
+      sshfs
+    ];
+  };
+}