liminix/bordervm-configuration.nix

{
  config,
  pkgs,
  lib,
  ...
}:
let
  cfg = config.bordervm;
  inherit (lib)
    mkOption
    mkEnableOption
    mdDoc
    types
    optional
    optionals
    ;
in
{
  options.bordervm = {
    keys = mkOption {
      type = types.listOf types.str;
      default = [ ];
    };
    l2tp = {
      host = mkOption {
        description = mdDoc ''
          Hostname or IP address of an L2TP LNS that this VM
          will connect to when it receives a PPPoE connection request
        '';
        type = types.str;
        example = "l2tp.example.org";
      };
      port = mkOption {
        description = mdDoc ''
          Port number, if non-standard, of the LNS.
        '';
        type = types.int;
        default = 1701;
      };
    };
    ethernet = {
      pci = {
        enable = mkEnableOption "passthru PCI ethernet";
        id = mkOption {
          description = ''
            Host PCI ID (as shown by `lspci`) of the ethernet adaptor
            to be used by the VM. This uses VFIO and requires setup
            on the emulation host before it will work!
          '';
          type = types.str;
          example = "04:00.0";
        };
      };
      usb = {
        enable = mkEnableOption "passthru USB ethernet";
        vendor = mkOption {
          type = types.str;
          example = "0x0bda";
        };
        product = mkOption {
          type = types.str;
          example = "0x8153";
        };
      };
    };
  };
  imports = [
    <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
  ];
  config = {
    boot.kernelParams = [ "loglevel=9" ];
    systemd.services.pppoe =
      let
        conf = pkgs.writeText "kpppoed.toml" ''
          interface_name = "eth1"
          services = [ "myservice" ]
          lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
          ac_name = "kpppoed-1.0"
        '';
      in
      {
        wantedBy = [ "multi-user.target" ];
        after = [ "network-online.target" ];
        serviceConfig = {
          ExecStart = "${pkgs.go-l2tp}/bin/kpppoed -config ${conf}";
        };
      };
    systemd.services.tufted = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.tufted}/bin/tufted /home/liminix/liminix";
      };
    };
    services.openssh.enable = true;
    services.dnsmasq = {
      enable = true;
      resolveLocalQueries = false;
      settings = {
        # domain-needed = true;
        dhcp-range = [ "10.0.0.10,10.0.0.240" ];
        interface = "eth1";
      };
    };

    services.nginx = {
      enable = true;
      user = "liminix";
      virtualHosts.${config.networking.hostName} = {
        root = "/home/liminix";
        default = true;
      };
    };
    systemd.services.nginx.serviceConfig.ProtectHome = "read-only";

    systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];

    virtualisation = {
      forwardPorts = [
        {
          from = "host";
          host.port = 7654;
          #        guest.address = "10.0.2.15";
          guest.port = 7654;
        }
        {
          host.port = 2222;
          guest.address = "10.0.2.15";
          guest.port = 22;
        }
      ];
      qemu = {
        networkingOptions = [ ];
        options =
          [ ]
          ++ optional cfg.ethernet.pci.enable "-device vfio-pci,host=${cfg.ethernet.pci.id}"
          ++ optionals cfg.ethernet.usb.enable [
            "-device usb-ehci,id=ehci"
            "-device usb-host,bus=ehci.0,vendorid=${cfg.ethernet.usb.vendor},productid=${cfg.ethernet.usb.product}"
          ]
          ++ [
            "-nographic"
            "-serial mon:stdio"
          ];
      };
      sharedDirectories = {
        liminix = {
          securityModel = "none";
          source = builtins.toString ./.;
          target = "/home/liminix/liminix";
        };
      };
    };

    services.tang = {
      enable = true;
      ipAddressAllow = [
        "10.0.0.0/24"
        "0.0.0.0/0"
      ];
    };

    environment.systemPackages =
      let
        wireshark-nogui = pkgs.wireshark.override { withQt = false; };
      in
      with pkgs;
      [
        tcpdump
        wireshark-nogui
        socat
        tufted
        iptables
        usbutils
        busybox
        clevis
      ];
    security.sudo.wheelNeedsPassword = false;
    networking = {
      hostName = "border";
      firewall = {
        enable = false;
      };
      interfaces.eth1 = {
        useDHCP = false;
        ipv4.addresses = [
          {
            address = "10.0.0.1";
            prefixLength = 24;
          }
        ];
      };
      nat = {
        enable = true;
        internalInterfaces = [ "eth1" ];
        externalInterface = "eth0";
      };
    };
    users.users.liminix = {
      isNormalUser = true;
      uid = 1000;
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = cfg.keys;
    };
    services.getty.autologinUser = "liminix";
  };
}
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`let`
			`cfg = config.bordervm;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`inherit (lib)`
			`mkOption`
			`mkEnableOption`
			`mdDoc`
			`types`
			`optional`
			`optionals`
			`;`
			`in`
			`{`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`options.bordervm = {`
add authorized keys to bordervm You don't often need this because it has autologin, but sometimes you want to do antics involving sshing through it to the wan port of a test device. Note that you probably wanted to start bordervm with funny qemu options to even make that possible nix-shell --run "QEMU_NET_OPTS=hostfwd=tcp::10022-:22 run-border-vm" 2024-05-01 22:07:11 +00:00			`keys = mkOption {`
			`type = types.listOf types.str;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`default = [ ];`
add authorized keys to bordervm You don't often need this because it has autologin, but sometimes you want to do antics involving sshing through it to the wan port of a test device. Note that you probably wanted to start bordervm with funny qemu options to even make that possible nix-shell --run "QEMU_NET_OPTS=hostfwd=tcp::10022-:22 run-border-vm" 2024-05-01 22:07:11 +00:00			`};`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`l2tp = {`
			`host = mkOption {`
			`description = mdDoc ''`
			`Hostname or IP address of an L2TP LNS that this VM`
			`will connect to when it receives a PPPoE connection request`
			`'';`
			`type = types.str;`
			`example = "l2tp.example.org";`
			`};`
			`port = mkOption {`
			`description = mdDoc ''`
			`Port number, if non-standard, of the LNS.`
			`'';`
			`type = types.int;`
			`default = 1701;`
			`};`
			`};`
			`ethernet = {`
support USB ethernet in bordervm 2023-05-09 21:58:56 +00:00			`pci = {`
			`enable = mkEnableOption "passthru PCI ethernet";`
			`id = mkOption {`
			`description = ''`
			Host PCI ID (as shown by `lspci`) of the ethernet adaptor
			`to be used by the VM. This uses VFIO and requires setup`
			`on the emulation host before it will work!`
			`'';`
			`type = types.str;`
			`example = "04:00.0";`
			`};`
			`};`
			`usb = {`
			`enable = mkEnableOption "passthru USB ethernet";`
			`vendor = mkOption {`
			`type = types.str;`
			`example = "0x0bda";`
			`};`
			`product = mkOption {`
			`type = types.str;`
			`example = "0x8153";`
			`};`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`};`
			`};`
			`};`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`imports = [`
			`<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>`
			`];`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`config = {`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`boot.kernelParams = [ "loglevel=9" ];`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`systemd.services.pppoe =`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`let`
			`conf = pkgs.writeText "kpppoed.toml" ''`
			`interface_name = "eth1"`
			`services = [ "myservice" ]`
			`lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"`
			`ac_name = "kpppoed-1.0"`
			`'';`
			`in`
			`{`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network-online.target" ];`
			`serviceConfig = {`
			`ExecStart = "${pkgs.go-l2tp}/bin/kpppoed -config ${conf}";`
			`};`
			`};`
			`systemd.services.tufted = {`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`ExecStart = "${pkgs.tufted}/bin/tufted /home/liminix/liminix";`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
			`};`
bordervm: add sshd, usbutils 2023-05-17 14:16:41 +00:00			`services.openssh.enable = true;`
run dhcp server on bordervm this is for testing clients that have dhcp upstream 2024-05-08 22:03:32 +00:00			`services.dnsmasq = {`
			`enable = true;`
			`resolveLocalQueries = false;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`settings = {`
run dhcp server on bordervm this is for testing clients that have dhcp upstream 2024-05-08 22:03:32 +00:00			`# domain-needed = true;`
			`dhcp-range = [ "10.0.0.10,10.0.0.240" ];`
			`interface = "eth1";`
			`};`
			`};`

set up nginx on bordervm for testing outboard secrets 2024-08-10 22:05:50 +00:00			`services.nginx = {`
			`enable = true;`
			`user = "liminix";`
			`virtualHosts.${config.networking.hostName} = {`
			`root = "/home/liminix";`
			`default = true;`
			`};`
			`};`
			`systemd.services.nginx.serviceConfig.ProtectHome = "read-only";`

bordervm: make configurable 2023-02-17 16:28:50 +00:00			`systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`virtualisation = {`
bordervm: expose ssh on port 2222 2024-12-22 16:01:38 +00:00			`forwardPorts = [`
			`{`
			`from = "host";`
			`host.port = 7654;`
			`# guest.address = "10.0.2.15";`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`guest.port = 7654;`
bordervm: expose ssh on port 2222 2024-12-22 16:01:38 +00:00			`}`
			`{`
			`host.port = 2222;`
			`guest.address = "10.0.2.15";`
			`guest.port = 22;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`}`
			`];`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`qemu = {`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`networkingOptions = [ ];`
			`options =`
			`[ ]`
			`++ optional cfg.ethernet.pci.enable "-device vfio-pci,host=${cfg.ethernet.pci.id}"`
			`++ optionals cfg.ethernet.usb.enable [`
support USB ethernet in bordervm 2023-05-09 21:58:56 +00:00			`"-device usb-ehci,id=ehci"`
			`"-device usb-host,bus=ehci.0,vendorid=${cfg.ethernet.usb.vendor},productid=${cfg.ethernet.usb.product}"`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`]`
			`++ [`
support USB ethernet in bordervm 2023-05-09 21:58:56 +00:00			`"-nographic"`
			`"-serial mon:stdio"`
			`];`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`};`
			`sharedDirectories = {`
			`liminix = {`
disable security for bordervm "liminix" share tftp needs to be able to follow symlinks into the store 2024-07-01 19:53:03 +00:00			`securityModel = "none";`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`source = builtins.toString ./.;`
			`target = "/home/liminix/liminix";`
			`};`
			`};`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
border-vm: add tang service 2024-10-06 11:38:06 +00:00
			`services.tang = {`
			`enable = true;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`ipAddressAllow = [`
			`"10.0.0.0/24"`
			`"0.0.0.0/0"`
			`];`
border-vm: add tang service 2024-10-06 11:38:06 +00:00			`};`

bordervm: build wireshark without qt (we only want tshark anyway) 2024-01-03 17:02:31 +00:00			`environment.systemPackages =`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`let`
			`wireshark-nogui = pkgs.wireshark.override { withQt = false; };`
			`in`
			`with pkgs;`
			`[`
			`tcpdump`
			`wireshark-nogui`
			`socat`
			`tufted`
			`iptables`
			`usbutils`
			`busybox`
			`clevis`
			`];`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`security.sudo.wheelNeedsPassword = false;`
			`networking = {`
			`hostName = "border";`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`firewall = {`
			`enable = false;`
			`};`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`interfaces.eth1 = {`
			`useDHCP = false;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`ipv4.addresses = [`
			`{`
			`address = "10.0.0.1";`
			`prefixLength = 24;`
			`}`
			`];`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
bordervm enable nat 2024-05-08 23:04:21 +00:00			`nat = {`
			`enable = true;`
			`internalInterfaces = [ "eth1" ];`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`externalInterface = "eth0";`
bordervm enable nat 2024-05-08 23:04:21 +00:00			`};`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`users.users.liminix = {`
			`isNormalUser = true;`
			`uid = 1000;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`extraGroups = [ "wheel" ];`
add authorized keys to bordervm You don't often need this because it has autologin, but sometimes you want to do antics involving sshing through it to the wan port of a test device. Note that you probably wanted to start bordervm with funny qemu options to even make that possible nix-shell --run "QEMU_NET_OPTS=hostfwd=tcp::10022-:22 run-border-vm" 2024-05-01 22:07:11 +00:00			`openssh.authorizedKeys.keys = cfg.keys;`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
bordervm: make configurable 2023-02-17 16:28:50 +00:00			`services.getty.autologinUser = "liminix";`
extract borderVm config into separate file 2023-02-15 21:21:52 +00:00			`};`
			`}`