diff --git a/provision/local/.placeholder b/provision/local/.placeholder new file mode 100644 index 00000000..e69de29b diff --git a/provision/local/gpu-passthrough/libvirtd.conf b/provision/local/gpu-passthrough/libvirtd.conf deleted file mode 100644 index 7818f0bb..00000000 --- a/provision/local/gpu-passthrough/libvirtd.conf +++ /dev/null @@ -1,520 +0,0 @@ -# Master libvirt daemon configuration file -# - -################################################################# -# -# Network connectivity controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -#listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#tcp_port = "16509" - - -# Override the default configuration which binds to all network -# interfaces. This can be a numeric IPv4/6 address, or hostname -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# If the libvirtd service is started in parallel with network -# startup (e.g. with systemd), binding to addresses other than -# the wildcards (0.0.0.0/::) might not be available yet. -# -#listen_addr = "192.168.0.1" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# This is restricted to 'root' by default. - unix_sock_group="libvirt" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows any user. If setting group ownership, you may want to -# restrict this too. - unix_sock_ro_perms="0777" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control, then you may want to relax this too. -#unix_sock_rw_perms = "0770" - -# Set the UNIX socket permissions for the admin interface socket. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to. -#unix_sock_admin_perms = "0700" - -# Set the name of the directory in which sockets will be found/created. -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#unix_sock_dir = "/run/libvirt" - - - -################################################################# -# -# Authentication. -# -# There are the following choices available: -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# - -# Set an authentication scheme for UNIX read-only sockets -# -# By default socket permissions allow anyone to connect -# -# If libvirt was compiled without support for 'polkit', then -# no access control checks are done, but libvirt still only -# allows execution of APIs which don't change state. -# -# If libvirt was compiled with support for 'polkit', then -# the libvirt socket will perform a check with polkit after -# connections. The default policy still allows any local -# user access. -# -# To restrict monitoring of domains you may wish to either -# enable 'sasl' here, or change the polkit policy definition. -#auth_unix_ro = "polkit" - -# Set an authentication scheme for UNIX read-write sockets. -# -# If libvirt was compiled without support for 'polkit', then -# the systemd .socket files will use SocketMode=0600 by default -# thus only allowing root user to connect, and 'auth_unix_rw' -# will default to 'none'. -# -# If libvirt was compiled with support for 'polkit', then -# the systemd .socket files will use SocketMode=0666 which -# allows any user to connect and 'auth_unix_rw' will default -# to 'polkit'. If you disable use of 'polkit' here, then it -# is essential to change the systemd SocketMode parameter -# back to 0600, to avoid an insecure configuration. -# -#auth_unix_rw = "polkit" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -#auth_tls = "none" - - -# Change the API access control scheme -# -# By default an authenticated user is allowed access -# to all APIs. Access drivers can place restrictions -# on this. By default the 'nop' driver is enabled, -# meaning no access control checks are done once a -# client has authenticated with libvirtd -# -#access_drivers = [ "polkit" ] - -################################################################# -# -# TLS x509 certificate configuration -# - -# Use of TLS requires that x509 certificates be issued. The default locations -# for the certificate files is as follows: -# -# /etc/pki/CA/cacert.pem - The CA master certificate -# /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem -# /etc/pki/libvirt/private/serverkey.pem - The server private key -# -# It is possible to override the default locations by altering the 'key_file', -# 'cert_file', and 'ca_file' values and uncommenting them below. -# -# NB, overriding the default of one location requires uncommenting and -# possibly additionally overriding the other settings. -# - -# Override the default server key file path -# -#key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -#cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -#ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -#crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of our own server certificates -# -# When libvirtd starts it performs some sanity checks against -# its own certificates. -# -# Default is to always run sanity checks. Uncommenting this -# will disable sanity checks which is not a good idea -#tls_no_sanity_certificate = 1 - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification. -#tls_no_verify_certificate = 1 - - -# An access control list of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the g_pattern_match function for the format of the wildcards: -# -# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -#tls_allowed_dn_list = ["DN1", "DN2"] - - -# Override the compile time default TLS priority string. The -# default is usually "NORMAL" unless overridden at build time. -# Only set this is it is desired for libvirt to deviate from -# the global default settings. -# -#tls_priority="NORMAL" - - -# An access control list of allowed SASL usernames. The format for username -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the g_pattern_match function for the format of the wildcards. -# -# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - - -################################################################# -# -# Processing controls -# - -# The maximum number of concurrent client connections to allow -# over all sockets combined. -#max_clients = 5000 - -# The maximum length of queue of connections waiting to be -# accepted by the daemon. Note, that some protocols supporting -# retransmission may obey this so that a later reattempt at -# connection succeeds. -#max_queued_clients = 1000 - -# The maximum length of queue of accepted but not yet -# authenticated clients. The default value is 20. Set this to -# zero to turn this feature off. -#max_anonymous_clients = 20 - -# The minimum limit sets the number of workers to start up -# initially. If the number of active clients exceeds this, -# then more threads are spawned, up to max_workers limit. -# Typically you'd want max_workers to equal maximum number -# of clients allowed -#min_workers = 5 -#max_workers = 20 - - -# The number of priority workers. If all workers from above -# pool are stuck, some calls marked as high priority -# (notably domainDestroy) can be executed in this pool. -#prio_workers = 5 - -# Limit on concurrent requests from a single client -# connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_workers -# parameter. -#max_client_requests = 5 - -# Same processing controls, but this time for the admin interface. -# For description of each option, be so kind to scroll few lines -# upwards. - -#admin_min_workers = 1 -#admin_max_workers = 5 -#admin_max_clients = 5 -#admin_max_queued_clients = 5 -#admin_max_client_requests = 5 - -################################################################# -# -# Logging controls -# - -# Logging level: 4 errors, 3 warnings, 2 information, 1 debug -# basically 1 will log everything possible -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. -# -# WARNING: It outputs too much information to practically read. -# WARNING: The "log_filters" setting is recommended instead. -# -# WARNING: Journald applies rate limiting of messages and so libvirt -# WARNING: will limit "log_level" to only allow values 3 or 4 if -# WARNING: journald is the current output. -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. -#log_level = 3 - -# Logging filters: -# A filter allows to select a different logging level for a given category -# of logs. The format for a filter is: -# -# level:match -# -# where 'match' is a string which is matched against the category -# given in the VIR_LOG_INIT() at the top of each libvirt source -# file, e.g., "remote", "qemu", or "util.json". The 'match' in the -# filter matches using shell wildcard syntax (see 'man glob(7)'). -# The 'match' is always treated as a substring match. IOW a match -# string 'foo' is equivalent to '*foo*'. -# -# 'level' is the minimal level where matching messages should -# be logged: -# -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple filters can be defined in a single @log_filters, they just need -# to be separated by spaces. Note that libvirt performs "first" match, i.e. -# if there are concurrent filters, the first one that matches will be applied, -# given the order in @log_filters. -# -# A typical need is to capture information from a hypervisor driver, -# public API entrypoints and some of the utility code. Some utility -# code is very verbose and is generally not desired. Taking the QEMU -# hypervisor as an example, a suitable filter string for debugging -# might be to turn off object, json & event logging, but enable the -# rest of the util code: -# - log_filters="1:qemu" - -# Logging outputs: -# An output is one of the places to save logging information -# The format for an output can be: -# level:stderr -# output goes to stderr -# level:syslog:name -# use syslog for the output and use the given name as the ident -# level:file:file_path -# output to a file, with the given filepath -# level:journald -# output to journald logging system -# In all cases 'level' is the minimal priority, acting as a filter -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple outputs can be defined, they just need to be separated by spaces. -# e.g. to log all warnings and errors to syslog under the libvirtd ident: - log_outputs="1:file:/var/log/libvirt/libvirtd.log" - - -################################################################## -# -# Auditing -# -# This setting allows usage of the auditing subsystem to be altered: -# -# audit_level == 0 -> disable all auditing -# audit_level == 1 -> enable auditing, only if enabled on host (default) -# audit_level == 2 -> enable auditing, and exit if disabled on host -# -#audit_level = 2 -# -# If set to 1, then audit messages will also be sent -# via libvirt logging infrastructure. Defaults to 0 -# -#audit_logging = 1 - -################################################################### -# UUID of the host: -# Host UUID is read from one of the sources specified in host_uuid_source. -# -# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' -# - 'machine-id': fetch the UUID from /etc/machine-id -# -# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide -# a valid UUID a temporary UUID will be generated. -# -# Another option is to specify host UUID in host_uuid. -# -# Keep the format of the example UUID below. UUID must not have all digits -# be the same. - -# NB This default all-zeros UUID will not work. Replace -# it with the output of the 'uuidgen' command and then -# uncomment this entry -#host_uuid = "00000000-0000-0000-0000-000000000000" -#host_uuid_source = "smbios" - -################################################################### -# Keepalive protocol: -# This allows libvirtd to detect broken client connections or even -# dead clients. A keepalive message is sent to a client after -# keepalive_interval seconds of inactivity to check if the client is -# still responding; keepalive_count is a maximum number of keepalive -# messages that are allowed to be sent to the client without getting -# any response before the connection is considered broken. In other -# words, the connection is automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the client. If keepalive_interval is set to -# -1, libvirtd will never send keepalive requests; however clients -# can still send them and the daemon will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 - -# -# These configuration options are no longer used. There is no way to -# restrict such clients from connecting since they first need to -# connect in order to ask for keepalive. -# -#keepalive_required = 1 -#admin_keepalive_required = 1 - -# Keepalive settings for the admin interface -#admin_keepalive_interval = 5 -#admin_keepalive_count = 5 - -################################################################### -# Open vSwitch: -# This allows to specify a timeout for openvswitch calls made by -# libvirt. The ovs-vsctl utility is used for the configuration and -# its timeout option is set by default to 5 seconds to avoid -# potential infinite waits blocking libvirt. -# -#ovs_timeout = 5 diff --git a/provision/local/gpu-passthrough/patch.rom b/provision/local/gpu-passthrough/patch.rom deleted file mode 100644 index 2f88172c..00000000 Binary files a/provision/local/gpu-passthrough/patch.rom and /dev/null differ diff --git a/provision/local/gpu-passthrough/qemu b/provision/local/gpu-passthrough/qemu deleted file mode 100755 index 5c7eb1eb..00000000 --- a/provision/local/gpu-passthrough/qemu +++ /dev/null @@ -1,35 +0,0 @@ -#!/run/current-system/sw/bin/bash - -# -# Author: Sebastiaan Meijer (sebastiaan@passthroughpo.st) -# -# Copy this file to /etc/libvirt/hooks, make sure it's called "qemu". -# After this file is installed, restart libvirt. -# From now on, you can easily add per-guest qemu hooks. -# Add your hooks in /etc/libvirt/hooks/qemu.d/vm_name/hook_name/state_name. -# For a list of available hooks, please refer to https://www.libvirt.org/hooks.html -# - -GUEST_NAME="$1" -HOOK_NAME="$2" -STATE_NAME="$3" -MISC="${@:4}" - -BASEDIR="$(dirname $0)" - -HOOKPATH="$BASEDIR/qemu.d/$GUEST_NAME/$HOOK_NAME/$STATE_NAME" - -set -e # If a script exits with an error, we should as well. - -# check if it's a non-empty executable file -if [ -f "$HOOKPATH" ] && [ -s "$HOOKPATH" ] && [ -x "$HOOKPATH" ]; then - eval \"$HOOKPATH\" "$@" -elif [ -d "$HOOKPATH" ]; then - while read file; do - # check for null string - if [ ! -z "$file" ]; then - eval \"$file\" "$@" - fi - done <<< "$(find -L "$HOOKPATH" -maxdepth 1 -type f -executable -print;)" -fi - diff --git a/provision/local/gpu-passthrough/qemu.conf b/provision/local/gpu-passthrough/qemu.conf deleted file mode 100644 index a25c539b..00000000 --- a/provision/local/gpu-passthrough/qemu.conf +++ /dev/null @@ -1,954 +0,0 @@ -# Master configuration file for the QEMU driver. -# All settings described here are optional - if omitted, sensible -# defaults are used. - -# Use of TLS requires that x509 certificates be issued. The default is -# to keep them in /etc/pki/qemu. This directory must contain -# -# ca-cert.pem - the CA master certificate -# server-cert.pem - the server certificate signed with ca-cert.pem -# server-key.pem - the server private key -# -# and optionally may contain -# -# dh-params.pem - the DH params configuration file -# -# If the directory does not exist, libvirtd will fail to start. If the -# directory doesn't contain the necessary files, QEMU domains will fail -# to start if they are configured to use TLS. -# -# In order to overwrite the default path alter the following. This path -# definition will be used as the default path for other *_tls_x509_cert_dir -# configuration settings if their default path does not exist or is not -# specifically set. -# -#default_tls_x509_cert_dir = "/etc/pki/qemu" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client who does not have a -# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem -# -# The default_tls_x509_cert_dir directory must also contain -# -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -# If this option is supplied it provides the default for the "_verify" option -# of specific TLS users such as vnc, backups, migration, etc. The specific -# users of TLS may override this by setting the specific "_verify" option. -# -# When not supplied the specific TLS users provide their own defaults. -# -#default_tls_x509_verify = 1 - -# -# Libvirt assumes the server-key.pem file is unencrypted by default. -# To use an encrypted server-key.pem file, the password to decrypt -# the PEM file is required. This can be provided by creating a secret -# object in libvirt and then to uncomment this setting to set the UUID -# of the secret. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# VNC is configured to listen on 127.0.0.1 by default. -# To make it listen on all public interfaces, uncomment -# this next option. -# -# NB, strong recommendation to enable TLS + x509 certificate -# verification when allowing public access -# -#vnc_listen = "0.0.0.0" - -# Enable this option to have VNC served over an automatically created -# unix socket. This prevents unprivileged access from users on the -# host machine, though most VNC clients do not support it. -# -# This will only be enabled for VNC configurations that have listen -# type=address but without any address specified. This setting takes -# preference over vnc_listen. -# -#vnc_auto_unix_socket = 1 - -# Enable use of TLS encryption on the VNC server. This requires -# a VNC client which supports the VeNCrypt protocol extension. -# Examples include vinagre, virt-viewer, virt-manager and vencrypt -# itself. UltraVNC, RealVNC, TightVNC do not support this -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#vnc_tls = 1 - - -# In order to override the default TLS certificate location for -# vnc certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but vnc_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "0". -# -#vnc_tls_x509_verify = 1 - - -# The default VNC password. Only 8 bytes are significant for -# VNC passwords. This parameter is only used if the per-domain -# XML config does not already provide a password. To allow -# access without passwords, leave this commented out. An empty -# string will still enable passwords, but be rejected by QEMU, -# effectively preventing any use of VNC. Obviously change this -# example here before you set this. -# -#vnc_password = "XYZ12345" - - -# Enable use of SASL encryption on the VNC server. This requires -# a VNC client which supports the SASL protocol extension. -# Examples include vinagre, virt-viewer and virt-manager -# itself. UltraVNC, RealVNC, TightVNC do not support this -# -# It is necessary to configure /etc/sasl2/qemu.conf to choose -# the desired SASL plugin (eg, GSSPI for Kerberos) -# -#vnc_sasl = 1 - - -# The default SASL configuration file is located in /etc/sasl2/ -# When running libvirtd unprivileged, it may be desirable to -# override the configs in this location. Set this parameter to -# point to the directory, and create a qemu.conf in that location -# -#vnc_sasl_dir = "/some/directory/sasl2" - - -# QEMU implements an extension for providing audio over a VNC connection, -# though if your VNC client does not support it, your only chance for getting -# sound output is through regular audio backends. By default, libvirt will -# disable all QEMU sound backends if using VNC, since they can cause -# permissions issues. Enabling this option will make libvirtd honor the -# QEMU_AUDIO_DRV environment variable when using VNC. -# -#vnc_allow_host_audio = 0 - - - -# SPICE is configured to listen on 127.0.0.1 by default. -# To make it listen on all public interfaces, uncomment -# this next option. -# -# NB, strong recommendation to enable TLS + x509 certificate -# verification when allowing public access -# -#spice_listen = "0.0.0.0" - - -# Enable use of TLS encryption on the SPICE server. -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#spice_tls = 1 - - -# In order to override the default TLS certificate location for -# spice certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but spice_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" - - -# Enable this option to have SPICE served over an automatically created -# unix socket. This prevents unprivileged access from users on the -# host machine. -# -# This will only be enabled for SPICE configurations that have listen -# type=address but without any address specified. This setting takes -# preference over spice_listen. -# -#spice_auto_unix_socket = 1 - - -# The default SPICE password. This parameter is only used if the -# per-domain XML config does not already provide a password. To -# allow access without passwords, leave this commented out. An -# empty string will still enable passwords, but be rejected by -# QEMU, effectively preventing any use of SPICE. Obviously change -# this example here before you set this. -# -#spice_password = "XYZ12345" - - -# Enable use of SASL encryption on the SPICE server. This requires -# a SPICE client which supports the SASL protocol extension. -# -# It is necessary to configure /etc/sasl2/qemu.conf to choose -# the desired SASL plugin (eg, GSSPI for Kerberos) -# -#spice_sasl = 1 - -# The default SASL configuration file is located in /etc/sasl2/ -# When running libvirtd unprivileged, it may be desirable to -# override the configs in this location. Set this parameter to -# point to the directory, and create a qemu.conf in that location -# -#spice_sasl_dir = "/some/directory/sasl2" - -# Enable use of TLS encryption on the chardev TCP transports. -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#chardev_tls = 1 - - -# In order to override the default TLS certificate location for character -# device TCP certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but chardev_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "1". -# -#chardev_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# Enable use of TLS encryption for all VxHS network block devices that -# don't specifically disable. -# -# When the VxHS network block device server is set up appropriately, -# x509 certificates are required for authentication between the clients -# (qemu processes) and the remote VxHS server. -# -# It is necessary to setup CA and issue the client certificate before -# enabling this. -# -#vxhs_tls = 1 - - -# In order to override the default TLS certificate location for VxHS -# backed storage, supply a valid path to the certificate directory. -# This is used to authenticate the VxHS block device clients to the VxHS -# server. -# -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but vxhs_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -# VxHS block device clients expect the client certificate and key to be -# present in the certificate directory along with the CA master certificate. -# If using the default environment, default_tls_x509_verify must be configured. -# Since this is only a client the server-key.pem certificate is not needed. -# Thus a VxHS directory must contain the following: -# -# ca-cert.pem - the CA master certificate -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# Enable use of TLS encryption for all NBD disk devices that don't -# specifically disable it. -# -# When the NBD server is set up appropriately, x509 certificates are required -# for authentication between the client and the remote NBD server. -# -# It is necessary to setup CA and issue the client certificate before -# enabling this. -# -#nbd_tls = 1 - - -# In order to override the default TLS certificate location for NBD -# backed storage, supply a valid path to the certificate directory. -# This is used to authenticate the NBD block device clients to the NBD -# server. -# -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but nbd_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -# NBD block device clients expect the client certificate and key to be -# present in the certificate directory along with the CA certificate. -# Since this is only a client the server-key.pem certificate is not needed. -# Thus a NBD directory must contain the following: -# -# ca-cert.pem - the CA master certificate -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# In order to override the default TLS certificate location for migration -# certificates, supply a valid path to the certificate directory. If the -# provided path does not exist, libvirtd will fail to start. If the path is -# not provided, but TLS-encrypted migration is requested, then the -# default_tls_x509_cert_dir path will be used. Once/if a default certificate is -# enabled/defined, migration will then be able to use the certificate via -# migration API flags. -# -#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied -# either, the default is "1". -# -#migrate_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested -# automatically. Setting 'migate_tls_force' to "1" will prevent any migration -# which is not using VIR_MIGRATE_TLS to ensure higher level of security in -# deployments with TLS. -# -#migrate_tls_force = 0 - - -# In order to override the default TLS certificate location for backup NBD -# server certificates, supply a valid path to the certificate directory. If the -# provided path does not exist, libvirtd will fail to start. If the path is -# not provided, but TLS-encrypted backup is requested, then the -# default_tls_x509_cert_dir path will be used. -# -#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "1". -# -#backup_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# By default, if no graphical front end is configured, libvirt will disable -# QEMU audio output since directly talking to alsa/pulseaudio may not work -# with various security settings. If you know what you're doing, enable -# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV -# environment variable when using nographics. -# -#nographics_allow_host_audio = 1 - - -# Override the port for creating both VNC and SPICE sessions (min). -# This defaults to 5900 and increases for consecutive sessions -# or when ports are occupied, until it hits the maximum. -# -# Minimum must be greater than or equal to 5900 as lower number would -# result into negative vnc display number. -# -# Maximum must be less than 65536, because higher numbers do not make -# sense as a port number. -# -#remote_display_port_min = 5900 -#remote_display_port_max = 65535 - -# VNC WebSocket port policies, same rules apply as with remote display -# ports. VNC WebSockets use similar display <-> port mappings, with -# the exception being that ports start from 5700 instead of 5900. -# -#remote_websocket_port_min = 5700 -#remote_websocket_port_max = 65535 - -# The default security driver is SELinux. If SELinux is disabled -# on the host, then the security driver will automatically disable -# itself. If you wish to disable QEMU SELinux security driver while -# leaving SELinux enabled for the host in general, then set this -# to 'none' instead. It's also possible to use more than one security -# driver at the same time, for this use a list of names separated by -# comma and delimited by square brackets. For example: -# -# security_driver = [ "selinux", "apparmor" ] -# -# Notes: The DAC security driver is always enabled; as a result, the -# value of security_driver cannot contain "dac". The value "none" is -# a special value; security_driver can be set to that value in -# isolation, but it cannot appear in a list of drivers. -# -#security_driver = "selinux" - -# If set to non-zero, then the default security labeling -# will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. -#security_default_confined = 1 - -# If set to non-zero, then attempts to create unconfined -# guests will be blocked. Defaults to 0. -#security_require_confined = 1 - -# The user for QEMU processes run by the system instance. It can be -# specified as a user name or as a user id. The qemu driver will try to -# parse this value first as a name and then, if the name doesn't exist, -# as a user id. -# -# Since a sequence of digits is a valid user name, a leading plus sign -# can be used to ensure that a user id will not be interpreted as a user -# name. -# -# Some examples of valid values are: -# -# user = "qemu" # A user named "qemu" -# user = "+0" # Super user (uid=0) -# user = "100" # A user named "100" or a user with uid=100 -# - user="root" - -# The group for QEMU processes run by the system instance. It can be -# specified in a similar way to user. - group="wheel" - -# Whether libvirt should dynamically change file ownership -# to match the configured user/group above. Defaults to 1. -# Set to 0 to disable file ownership changes. -#dynamic_ownership = 1 - -# Whether libvirt should remember and restore the original -# ownership over files it is relabeling. Defaults to 1, set -# to 0 to disable the feature. -#remember_owner = 1 - -# What cgroup controllers to make use of with QEMU guests -# -# - 'cpu' - use for scheduler tunables -# - 'devices' - use for device access control -# - 'memory' - use for memory tunables -# - 'blkio' - use for block devices I/O tunables -# - 'cpuset' - use for CPUs and memory nodes -# - 'cpuacct' - use for CPUs statistics. -# -# NB, even if configured here, they won't be used unless -# the administrator has mounted cgroups, e.g.: -# -# mkdir /dev/cgroup -# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup -# -# They can be mounted anywhere, and different controllers -# can be mounted in different locations. libvirt will detect -# where they are located. -# -#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] - -# This is the basic set of devices allowed / required by -# all virtual machines. -# -# As well as this, any configured block backed disks, -# all sound device, and all PTY devices are allowed. -# -# This will only need setting if newer QEMU suddenly -# wants some device we don't already know about. -# -#cgroup_device_acl = [ -# "/dev/null", "/dev/full", "/dev/zero", -# "/dev/random", "/dev/urandom", -# "/dev/ptmx", "/dev/kvm" -#] -# -# RDMA migration requires the following extra files to be added to the list: -# "/dev/infiniband/rdma_cm", -# "/dev/infiniband/issm0", -# "/dev/infiniband/issm1", -# "/dev/infiniband/umad0", -# "/dev/infiniband/umad1", -# "/dev/infiniband/uverbs0" - - -# The default format for QEMU/KVM guest save images is raw; that is, the -# memory from the domain is dumped out directly to a file. If you have -# guests with a large amount of memory, however, this can take up quite -# a bit of space. If you would like to compress the images while they -# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" -# for save_image_format. Note that this means you slow down the process of -# saving a domain in order to save disk space; the list above is in descending -# order by performance and ascending order by compression ratio. -# -# save_image_format is used when you use 'virsh save' or 'virsh managedsave' -# at scheduled saving, and it is an error if the specified save_image_format -# is not valid, or the requested compression program can't be found. -# -# dump_image_format is used when you use 'virsh dump' at emergency -# crashdump, and if the specified dump_image_format is not valid, or -# the requested compression program can't be found, this falls -# back to "raw" compression. -# -# snapshot_image_format specifies the compression algorithm of the memory save -# image when an external snapshot of a domain is taken. This does not apply -# on disk image format. It is an error if the specified format isn't valid, -# or the requested compression program can't be found. -# -#save_image_format = "raw" -#dump_image_format = "raw" -#snapshot_image_format = "raw" - -# When a domain is configured to be auto-dumped when libvirtd receives a -# watchdog event from qemu guest, libvirtd will save dump files in directory -# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump -# -#auto_dump_path = "/var/lib/libvirt/qemu/dump" - -# When a domain is configured to be auto-dumped, enabling this flag -# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the -# virDomainCoreDump API. That is, the system will avoid using the -# file system cache while writing the dump file, but may cause -# slower operation. -# -#auto_dump_bypass_cache = 0 - -# When a domain is configured to be auto-started, enabling this flag -# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag -# with the virDomainCreateWithFlags API. That is, the system will -# avoid using the file system cache when restoring any managed state -# file, but may cause slower operation. -# -#auto_start_bypass_cache = 0 - -# If provided by the host and a hugetlbfs mount point is configured, -# a guest may request huge page backing. When this mount point is -# unspecified here, determination of a host mount point in /proc/mounts -# will be attempted. Specifying an explicit mount overrides detection -# of the same in /proc/mounts. Setting the mount point to "" will -# disable guest hugepage backing. If desired, multiple mount points can -# be specified at once, separated by comma and enclosed in square -# brackets, for example: -# -# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] -# -# The size of huge page served by specific mount point is determined by -# libvirt at the daemon startup. -# -# NB, within these mount points, guests will create memory backing -# files in a location of $MOUNTPOINT/libvirt/qemu -# -#hugetlbfs_mount = "/dev/hugepages" - - -# Path to the setuid helper for creating tap devices. This executable -# is used to create interfaces when libvirtd is -# running unprivileged. libvirt invokes the helper directly, instead -# of using "-netdev bridge", for security reasons. -#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper" - - -# If enabled, libvirt will have QEMU set its process name to -# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU -# process will appear as "qemu:VM_NAME" in process listings and -# other system monitoring tools. By default, QEMU does not set -# its process title, so the complete QEMU command (emulator and -# its arguments) appear in process listings. -# -#set_process_name = 1 - - -# If max_processes is set to a positive integer, libvirt will use -# it to set the maximum number of processes that can be run by qemu -# user. This can be used to override default value set by host OS. -# The same applies to max_files which sets the limit on the maximum -# number of opened files. -# -#max_processes = 0 -#max_files = 0 - -# If max_threads_per_process is set to a positive integer, libvirt -# will use it to set the maximum number of threads that can be -# created by a qemu process. Some VM configurations can result in -# qemu processes with tens of thousands of threads. systemd-based -# systems typically limit the number of threads per process to -# 16k. max_threads_per_process can be used to override default -# limits in the host OS. -# -#max_threads_per_process = 0 - -# If max_core is set to a non-zero integer, then QEMU will be -# permitted to create core dumps when it crashes, provided its -# RAM size is smaller than the limit set. -# -# Be warned that the core dump will include a full copy of the -# guest RAM, if the 'dump_guest_core' setting has been enabled, -# or if the guest XML contains -# -# ...guest ram... -# -# If guest RAM is to be included, ensure the max_core limit -# is set to at least the size of the largest expected guest -# plus another 1GB for any QEMU host side memory mappings. -# -# As a special case it can be set to the string "unlimited" to -# to allow arbitrarily sized core dumps. -# -# By default the core dump size is set to 0 disabling all dumps -# -# Size is a positive integer specifying bytes or the -# string "unlimited" -# -#max_core = "unlimited" - -# Determine if guest RAM is included in QEMU core dumps. By -# default guest RAM will be excluded if a new enough QEMU is -# present. Setting this to '1' will force guest RAM to always -# be included in QEMU core dumps. -# -# This setting will be ignored if the guest XML has set the -# dumpcore attribute on the element. -# -#dump_guest_core = 1 - -# mac_filter enables MAC addressed based filtering on bridge ports. -# This currently requires ebtables to be installed. -# -#mac_filter = 1 - - -# By default, PCI devices below non-ACS switch are not allowed to be assigned -# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to -# be assigned to guests. -# -#relaxed_acs_check = 1 - - -# In order to prevent accidentally starting two domains that -# share one writable disk, libvirt offers two approaches for -# locking files. The first one is sanlock, the other one, -# virtlockd, is then our own implementation. Accepted values -# are "sanlock" and "lockd". -# -#lock_manager = "lockd" - - -# Set limit of maximum APIs queued on one domain. All other APIs -# over this threshold will fail on acquiring job lock. Specially, -# setting to zero turns this feature off. -# Note, that job lock is per domain. -# -#max_queued = 0 - -################################################################### -# Keepalive protocol: -# This allows qemu driver to detect broken connections to remote -# libvirtd during peer-to-peer migration. A keepalive message is -# sent to the daemon after keepalive_interval seconds of inactivity -# to check if the daemon is still responding; keepalive_count is a -# maximum number of keepalive messages that are allowed to be sent -# to the daemon without getting any response before the connection -# is considered broken. In other words, the connection is -# automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the daemon. If keepalive_interval is set to -# -1, qemu driver will not send keepalive requests during -# peer-to-peer migration; however, the remote libvirtd can still -# send them and source libvirtd will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 - - - -# Use seccomp syscall filtering sandbox in QEMU. -# 1 == filter enabled, 0 == filter disabled -# -# Unless this option is disabled, QEMU will be run with -# a seccomp filter that stops it from executing certain -# syscalls. -# -#seccomp_sandbox = 1 - - -# Override the listen address for all incoming migrations. Defaults to -# 0.0.0.0, or :: if both host and qemu are capable of IPv6. -#migration_address = "0.0.0.0" - - -# The default hostname or IP address which will be used by a migration -# source for transferring migration data to this host. The migration -# source has to be able to resolve this hostname and connect to it so -# setting "localhost" will not work. By default, the host's configured -# hostname is used. -#migration_host = "host.example.com" - - -# Override the port range used for incoming migrations. -# -# Minimum must be greater than 0, however when QEMU is not running as root, -# setting the minimum to be lower than 1024 will not work. -# -# Maximum must not be greater than 65535. -# -#migration_port_min = 49152 -#migration_port_max = 49215 - - - -# Timestamp QEMU's log messages (if QEMU supports it) -# -# Defaults to 1. -# -#log_timestamp = 0 - - -# Location of master nvram file -# -# This configuration option is obsolete. Libvirt will follow the -# QEMU firmware metadata specification to automatically locate -# firmware images. See docs/interop/firmware.json in the QEMU -# source tree. These metadata files are distributed alongside any -# firmware images intended for use with QEMU. -# -# NOTE: if ANY firmware metadata files are detected, this setting -# will be COMPLETELY IGNORED. -# -# ------------------------------------------ -# -# When a domain is configured to use UEFI instead of standard -# BIOS it may use a separate storage for UEFI variables. If -# that's the case libvirt creates the variable store per domain -# using this master file as image. Each UEFI firmware can, -# however, have different variables store. Therefore the nvram is -# a list of strings when a single item is in form of: -# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. -# Later, when libvirt creates per domain variable store, this list is -# searched for the master image. The UEFI firmware can be called -# differently for different guest architectures. For instance, it's OVMF -# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default -# follows this scheme. -#nvram = [ -# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", -# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", -# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", -# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" -#] - -# The backend to use for handling stdout/stderr output from -# QEMU processes. -# -# 'file': QEMU writes directly to a plain file. This is the -# historical default, but allows QEMU to inflict a -# denial of service attack on the host by exhausting -# filesystem space -# -# 'logd': QEMU writes to a pipe provided by virtlogd daemon. -# This is the current default, providing protection -# against denial of service by performing log file -# rollover when a size limit is hit. -# -#stdio_handler = "logd" - -# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the -# most verbose, and 0 representing no debugging output. -# -# The current logging levels defined in the gluster GFAPI are: -# -# 0 - None -# 1 - Emergency -# 2 - Alert -# 3 - Critical -# 4 - Error -# 5 - Warning -# 6 - Notice -# 7 - Info -# 8 - Debug -# 9 - Trace -# -# Defaults to 4 -# -#gluster_debug_level = 9 - -# virtiofsd debug -# -# Whether to enable the debugging output of the virtiofsd daemon. -# Possible values are 0 or 1. Disabled by default. -# -#virtiofsd_debug = 1 - -# To enhance security, QEMU driver is capable of creating private namespaces -# for each domain started. Well, so far only "mount" namespace is supported. If -# enabled it means qemu process is unable to see all the devices on the system, -# only those configured for the domain in question. Libvirt then manages -# devices entries throughout the domain lifetime. This namespace is turned on -# by default. -#namespaces = [ "mount" ] - -# This directory is used for memoryBacking source if configured as file. -# NOTE: big files will be stored here -#memory_backing_dir = "/var/lib/libvirt/qemu/ram" - -# Path to the SCSI persistent reservations helper. This helper is -# used whenever are enabled for SCSI LUN devices. -#pr_helper = "/usr/bin/qemu-pr-helper" - -# Path to the SLIRP networking helper. -#slirp_helper = "/usr/bin/slirp-helper" - -# Path to the dbus-daemon -#dbus_daemon = "/usr/bin/dbus-daemon" - -# User for the swtpm TPM Emulator -# -# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs -# and uses; alternative is 'root' -# -#swtpm_user = "tss" -#swtpm_group = "tss" - -# For debugging and testing purposes it's sometimes useful to be able to disable -# libvirt behaviour based on the capabilities of the qemu process. This option -# allows to do so. DO _NOT_ use in production and beaware that the behaviour -# may change across versions. -# -#capability_filters = [ "capname" ] - -# 'deprecation_behavior' setting controls how the qemu process behaves towards -# deprecated commands and arguments used by libvirt. -# -# This setting is meant for developers and CI efforts to make it obvious when -# libvirt relies on fields which are deprecated so that it can be fixes as soon -# as possible. -# -# Possible options are: -# "none" - (default) qemu is supposed to accept and output deprecated fields -# and commands -# "omit" - qemu is instructed to omit deprecated fields on output, behaviour -# towards fields and commands from qemu is not changed -# "reject" - qemu is instructed to report an error if a deprecated command or -# field is used by libvirtd -# "crash" - qemu crashes when an deprecated command or field is used by libvirtd -# -# For both "reject" and "crash" qemu is instructed to omit any deprecated fields -# on output. -# -# The "reject" option is less harsh towards the VMs but some code paths ignore -# errors reported by qemu and thus it may not be obvious that a deprecated -# command/field was used, thus it's suggested to use the "crash" option instead. -# -# In cases when qemu doesn't support configuring the behaviour this setting is -# silently ignored to allow testing older qemu versions without having to -# reconfigure libvirtd. -# -# DO NOT use in production. -# -#deprecation_behavior = "none" diff --git a/provision/local/gpu-passthrough/revert.sh b/provision/local/gpu-passthrough/revert.sh deleted file mode 100755 index 47060e51..00000000 --- a/provision/local/gpu-passthrough/revert.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/run/current-system/sw/bin/bash - -set -x - -# Unload VFIO-PCI Kernel Driver -modprobe -r vfio_pci -modprobe -r vfio_iommu_type1 -modprobe -r vfio - -# Rebind VT consoles -echo 1 > /sys/class/vtconsole/vtcon0/bind -echo 1 > /sys/class/vtconsole/vtcon1/bind - -# Read our nvidia configuration when before starting our graphics -nvidia-xconfig --query-gpu-info > /dev/null 2>&1 - -# Re-Bind EFI-Framebuffer -echo "efi-framebuffer.0" > /sys/bus/platform/drivers/efi-framebuffer/bind -echo "simple-framebuffer.0" > /sys/bus/platform/drivers/simple-framebuffer/bind -echo "vesa-framebuffer.0" > /sys/bus/platform/drivers/vesa-framebuffer/bind - -# ZzzzzzZzz -sleep 1 - -# Load amd drivers -modprobe drm -modprobe amdgpu -modprobe radeon -modprobe drm_kms_helper - -# Kill sway -systemctl start display-manager.service diff --git a/provision/local/gpu-passthrough/start.sh b/provision/local/gpu-passthrough/start.sh deleted file mode 100755 index a0437483..00000000 --- a/provision/local/gpu-passthrough/start.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/run/current-system/sw/bin/bash - -set -x - -# Stop your display manager. If you're on kde it'll be sddm.service. Gnome users should use 'killall gdm-x-session' instead -systemctl stop display-manager.service - -# Unbind VTconsoles -echo 0 > /sys/class/vtconsole/vtcon0/bind -echo 0 > /sys/class/vtconsole/vtcon1/bind - -# Unbind EFI-Framebuffer -echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/unbind || true -echo simple-framebuffer.0 > /sys/bus/platform/drivers/simple-framebuffer/unbind || true -echo vesa-framebuffer.0 > /sys/bus/platform/drivers/vesa-framebuffer/unbind || true - -# ZzzzzzZzzzz -sleep 1 - -# Unload all Amd drivers -modprobe -r drm_kms_helper -modprobe -r amdgpu -modprobe -r radeon -modprobe -r drm - -# Load VFIO kernel module -modprobe vfio -modprobe vfio_pci -modprobe vfio_iommu_type1 diff --git a/provision/nixos/flake.nix b/provision/nixos/flake.nix index bef55238..abaff02c 100644 --- a/provision/nixos/flake.nix +++ b/provision/nixos/flake.nix @@ -8,9 +8,13 @@ url = github:nix-community/home-manager/release-23.05; inputs.nixpkgs.follows = "nixpkgs"; }; + jovian-nixos = { + url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development"; + flake = false; + }; }; - outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, ... }: + outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, jovian-nixos, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs { diff --git a/provision/nixos/hosts/bulwark/configuration.nix b/provision/nixos/hosts/bulwark/configuration.nix new file mode 100644 index 00000000..4943e593 --- /dev/null +++ b/provision/nixos/hosts/bulwark/configuration.nix @@ -0,0 +1,120 @@ +{ config, pkgs, user, lib, ... }: +{ + nix = { + package = pkgs.nixFlakes; + extraOptions = "experimental-features = nix-command flakes"; + + settings.auto-optimise-store = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + }; + + # Add non-free packages + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = import ../../lib/overlays.nix; + + # Use zen kernel + boot.kernelPackages = pkgs.linuxPackages_zen; + + # Hardware options + hardware.bluetooth.enable = true; + hardware.sensor.iio.enable = true; + hardware.opengl.enable = true; + hardware.opengl.driSupport = true; + hardware.opengl.driSupport32Bit = true; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set networking options + networking.hostName = "bulwark"; + networking.networkmanager.enable = true; + networking.firewall.checkReversePath = "loose"; + networking.firewall.enable = false; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable sound. + sound.enable = true; + hardware.pulseaudio.enable = true; + hardware.pulseaudio.support32Bit = true; + + # Add fonts + fonts.fonts = with pkgs; [ + nerdfonts + ]; + + # Enable virtualisation + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "btrfs"; + + # Enable zsh + programs.zsh.enable = true; + + # Define user account. + users.users.${user} = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + shell = pkgs.zsh; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + git + killall + pciutils + syncthing + pinentry-curses + trash-cli + unzip + nnn + advcpmv + ]; + + # Enable user services + services = { + gvfs.enable = true; # USB automount + blueman.enable = true; + printing.enable = true; + printing.drivers = [ pkgs.hplip ]; + avahi.enable = true; + avahi.nssmdns = true; + syncthing = { + enable = true; + user = "${user}"; + dataDir = "/home/${user}/sync"; + configDir = "/home/${user}/.config/syncthing"; + }; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.pcscd.enable = true; + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "curses"; + enableSSHSupport = true; + }; + + # Enable modules + imports = [ ../../modules ]; + modules = { + services = { + samba-client.enable = true; + }; + gaming = { + steam.enable = true; + steam-deck.enable = true; + }; + }; + + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/provision/nixos/hosts/bulwark/home-configuration.nix b/provision/nixos/hosts/bulwark/home-configuration.nix new file mode 100644 index 00000000..3b5e7a48 --- /dev/null +++ b/provision/nixos/hosts/bulwark/home-configuration.nix @@ -0,0 +1,16 @@ +{ config, pkgs, user, ... }: +{ + home.username = "${user}"; + home.homeDirectory = "/home/${user}"; + programs.home-manager.enable = true; + + home.packages = with pkgs; [ + chezmoi + rbw + zk + joplin + joplin-desktop + ]; + + home.stateVersion = "23.05"; +} diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index a7050e92..299f6005 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -34,6 +34,7 @@ networking.hostName = "kestrel"; networking.networkmanager.enable = true; networking.firewall.checkReversePath = "loose"; + networking.firewall.enable = false; # Set your time zone. time.timeZone = "America/Los_Angeles"; @@ -59,7 +60,7 @@ # Define user account. users.users.${user} = { isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. shell = pkgs.zsh; }; @@ -92,29 +93,6 @@ dataDir = "/home/${user}/sync"; configDir = "/home/${user}/.config/syncthing"; }; - # xserver = { - # enable = true; - # displayManager = { - # #defaultSession = "none+bspwm"; - # lightdm.greeters.mini = { - # enable = true; - # #user = "tstarr"; - # #extraConfig = '' - # # [greeter] - # # show-password-label = false - # # invalid-password-text = Access Denied - # # show-input-cursor = true - # # password-alignment = left - # # [greeter-theme] - # # font-size = 1em - # # background-image = "" - # #''; - # }; - # }; - # }; - #}; - xserver.enable = true; - xserver.displayManager.sddm.enable = true; }; # Enable the OpenSSH daemon. @@ -131,7 +109,7 @@ modules = { services = { samba-client.enable = true; - vfio.enable = false; + virt-manager.enable = true; }; devel = { tooling.enable = true; diff --git a/provision/nixos/modules/desktop/sway.nix b/provision/nixos/modules/desktop/sway.nix index b91d7385..2533a44d 100644 --- a/provision/nixos/modules/desktop/sway.nix +++ b/provision/nixos/modules/desktop/sway.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, user, ... }: +{ config, lib, pkgs, pkgs-unstable, user, ... }: let cfg = config.modules.desktop.sway; @@ -52,13 +52,15 @@ in { networkmanagerapplet pcmanfm google-chrome - firefox gamemode discord inkscape libreoffice-fresh mpv udiskie + p7zip + ] ++ [ + pkgs-unstable.firefox ]; # xdg-desktop-portal works by exposing a series of D-Bus interfaces diff --git a/provision/nixos/modules/gaming/steam-deck.nix b/provision/nixos/modules/gaming/steam-deck.nix new file mode 100644 index 00000000..be69a0c6 --- /dev/null +++ b/provision/nixos/modules/gaming/steam-deck.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, pkgs-unstable, user, jovian-nixos, ... }: + +let + cfg = config.modules.gaming.steam-deck; +in { + options.modules.gaming.steam-deck.enable = lib.mkEnableOption "steam-deck"; + config = lib.mkIf cfg.enable { + imports = [ + (jovian-nixos + "/modules") + home-manager.nixosModule + ]; + + jovian = { + steam.enable = true; + devices.steamdeck = { + enable = true; + }; + }; + + services.xserver.displayManager.gdm.wayland = lib.mkForce true; # lib.mkForce is only required on my setup because I'm using some other NixOS configs that conflict with this value + services.xserver.displayManager.defaultSession = "steam-wayland"; + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = ${user}; + + # Enable GNOME + sound.enable = true; + services.xserver.desktopManager.gnome = { + enable = true; + }; + + # Create user + users.users.${user} = { + isNormalUser = true; + }; + + systemd.services.gamescope-switcher = { + wantedBy = [ "graphical.target" ]; + serviceConfig = { + User = 1000; + PAMName = "login"; + WorkingDirectory = "~"; + + TTYPath = "/dev/tty7"; + TTYReset = "yes"; + TTYVHangup = "yes"; + TTYVTDisallocate = "yes"; + + StandardInput = "tty-fail"; + StandardOutput = "journal"; + StandardError = "journal"; + + UtmpIdentifier = "tty7"; + UtmpMode = "user"; + + Restart = "always"; + }; + + script = '' + set-session () { + mkdir -p ~/.local/state + >~/.local/state/steamos-session-select echo "$1" + } + consume-session () { + if [[ -e ~/.local/state/steamos-session-select ]]; then + cat ~/.local/state/steamos-session-select + rm ~/.local/state/steamos-session-select + else58 closure + echo "gamescope" + fi + } + while :; do + session=$(consume-session) + case "$session" in + plasma) + dbus-run-session -- gnome-shell --display-server --wayland + ;; + gamescope) + steam-session + ;; + esac + done + ''; + }; + + environment.systemPackages = with pkgs; [ + gnome.gnome-terminal + gnomeExtensions.dash-to-dock + jupiter-dock-updater-bin + steamdeck-firmware + ]; + + # GNOME settings through home-manager + home-manager.users.${user} = { + home.stateVersion = "22.11"; + dconf.settings = { + # Enable on-screen keyboard + "org/gnome/desktop/a11y/applications" = { + screen-keyboard-enabled = true; + }; + "org/gnome/shell" = { + enabled-extensions = [ + "dash-to-dock@micxgx.gmail.com" + ]; + favorite-apps = ["steam.desktop"]; + }; + # Dash to Dock settings for a better touch screen experience + "org/gnome/shell/extensions/dash-to-dock" = { + background-opacity = 0.80000000000000004; + custom-theme-shrink = true; + dash-max-icon-size = 48; + dock-fixed = true; + dock-position = "LEFT"; + extend-height = true; + height-fraction = 0.60999999999999999; + hot-keys = false; + preferred-monitor = -2; + preferred-monitor-by-connector = "eDP-1"; + scroll-to-focused-application = true; + show-apps-at-top = true; + show-mounts = true; + show-show-apps-button = true; + show-trash = false; + }; + }; + }; +} diff --git a/provision/nixos/modules/gaming/steam.nix b/provision/nixos/modules/gaming/steam.nix index cbb3bd6d..b3205f88 100644 --- a/provision/nixos/modules/gaming/steam.nix +++ b/provision/nixos/modules/gaming/steam.nix @@ -17,6 +17,9 @@ in { environment.systemPackages = [ pkgs.steam pkgs-unstable.yuzu-early-access + pkgs.dolphin-emu + pkgs-unstable.sunshine + pkgs-unstable.moonlight-qt ]; }; diff --git a/provision/nixos/modules/services/default.nix b/provision/nixos/modules/services/default.nix index e5744f59..61f723f0 100644 --- a/provision/nixos/modules/services/default.nix +++ b/provision/nixos/modules/services/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./vfio.nix ]; + imports = [ ./samba-server.nix ./samba-client.nix ./jellyfin.nix ]; } diff --git a/provision/nixos/modules/services/vfio.nix b/provision/nixos/modules/services/vfio.nix deleted file mode 100644 index be975267..00000000 --- a/provision/nixos/modules/services/vfio.nix +++ /dev/null @@ -1,57 +0,0 @@ -# vfio setup for windows gaming with single gpu - -{ config, lib, pkgs, user, ... }: - -let cfg = config.modules.services.vfio; -in { - options.modules.services.vfio.enable = lib.mkEnableOption "vfio"; - config = lib.mkIf cfg.enable { - - users.users.${user}.extraGroups = [ "qemu-libvirtd" "libvirtd" "kvm" ]; - - # Boot configuration - boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "iommu=1" "video=efifb:off" "disable_idle_d3=1" ]; - boot.kernelModules = [ "kvm-amd" "vfio-pci" ]; - - programs.dconf.enable = true; - - environment.systemPackages = with pkgs; [ virt-manager ]; - - # Enable libvirtd - virtualisation.libvirtd = { - enable = true; - onBoot = "ignore"; - onShutdown = "shutdown"; - qemu.ovmf.enable = true; - qemu.runAsRoot = true; - }; - - # Place helper files where libvirt can get to them - environment.etc = { - "libvirt/hooks/qemu" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/qemu"; - mode = "0755"; - }; - "libvirt/hooks/qemu.d/win11/prepare/begin/start.sh" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/start.sh"; - mode = "0755"; - }; - "libvirt/hooks/qemu.d/win11/release/end/revert.sh" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/revert.sh"; - mode = "0755"; - }; - "libvirt/qemu.conf" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/qemu.conf"; - mode = "0755"; - }; - "libvirt/libvirtd.conf" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/libvirtd.conf"; - mode = "0755"; - }; - "libvirt/patch.rom" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/patch.rom"; - mode = "0755"; - }; - }; - }; -} diff --git a/provision/nixos/modules/services/virt-manager.nix b/provision/nixos/modules/services/virt-manager.nix new file mode 100644 index 00000000..b6d5d345 --- /dev/null +++ b/provision/nixos/modules/services/virt-manager.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.modules.services.virt-manager; +in { + options.modules.services.virt-manager.enable = lib.mkEnableOption "virt-manager"; + config = lib.mkIf cfg.enable { + virtualisation.libvirtd.enable = true; + programs.dconf.enable = true; + environment.systemPackages = with pkgs; [ virt-manager ]; + }; +}