janezicmatej/matej.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: janezicmatej:main
Branches Tags
janezicmatej:main
...
compare: janezicmatej:dff72f07032ce524b4a89048ef8c95c58e8e28d6
Branches Tags
janezicmatej:main

6 Commits
main ... dff72f0703

Author SHA1 Message Date
Matej Janežič
dff72f0703 merge: harden ephvm 2026-04-24 14:13:24 +02:00
Matej Janežič
0c17996d16 feat: tighten ephvm perms, zstd compress qcow2 
lock /home/matej/.config to 0700 (was 0755). post-process qcow2
with parallel zstd on qcow2 v3 via qemu-img convert; smaller
image and faster decompress than the built-in qcow2-compressed.
 2026-04-23 21:32:04 +00:00
Matej Janežič
9ffc640c44 feat: prune vm-guest module 
drop services.qemuGuest.enable (unused — serial + ssh cover
everything), drop sshfs package (unused), drop boot.kernelModules
for 9p since initrd availableKernelModules autoloads on first
mount.
 2026-04-23 21:30:32 +00:00
Matej Janežič
fbcded1f9d feat: ephvm-run.sh virtio devices, require kvm 
explicit virtio-blk-pci (cache=writeback, discard=unmap,
detect-zeroes=unmap, aio=threads), virtio-net-pci, virtio-rng-pci
for guest entropy. hard-require /dev/kvm and always pass -cpu host;
drop the tcg fallback since this host always has kvm.
 2026-04-23 21:29:57 +00:00
Matej Janežič
082057226d feat: ephvm-run.sh resilience 
poll for real SSH banner instead of TCP accept (qemu's user-mode
nic accepts before guest sshd is listening), preserve qemu log
on abnormal exit for inspection, use a throwaway ed25519 key
since the guest accepts any key.
 2026-04-23 21:29:24 +00:00
Matej Janežič
620acf68a6 feat: harden ephvm-run.sh 
reject running as root, bind ssh hostfwd to 127.0.0.1 only,
reject commas in --mount and claude paths (prevents -virtfs csv
injection), pre-check --mount path exists, enable qemu seccomp
sandbox.
 2026-04-23 21:28:51 +00:00
Expand all files Collapse all files

Diff Content Not Available