Davíð Steinn Geirsson
b876265793
Full isolation has too much impact to be a default. Even on an almost unloaded machine with a couple of VMs running it results in audio buffer underruns due to the significant scheduling latency. This change is fine because with vmsilo, the trust domain is the VM. There isn't much reason to protect apps from other apps running in the same VM. Better to run those apps in separate VMs in that case.
140 lines
3.3 KiB
Nix
140 lines
3.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
vmsilo,
|
|
stdenv,
|
|
...
|
|
}:
|
|
|
|
{
|
|
nix = {
|
|
settings.experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
};
|
|
|
|
# User needs to have uid explicitly specified
|
|
users.users.david = {
|
|
uid = 1000;
|
|
group = "david";
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
};
|
|
users.groups.david.gid = 1000;
|
|
|
|
programs.vmsilo =
|
|
let
|
|
sshKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
commonGuestPrograms = with pkgs; [
|
|
firefox
|
|
kdePackages.konsole
|
|
vim
|
|
git
|
|
screen
|
|
strace
|
|
tcpdump
|
|
curl
|
|
jq
|
|
dig
|
|
bc
|
|
net-tools
|
|
];
|
|
in
|
|
{
|
|
enable = true;
|
|
user = "david";
|
|
|
|
# Set this to "full" to fully isolate each vCPU or "off" for no scheduling protection.
|
|
# The default is "vm", which protects VMs from each other but does not protect each different
|
|
# vCPUs of the same VM from each other. Note that "full" has a significant performance cost.
|
|
schedulerIsolation = "vm";
|
|
|
|
nixosVms = {
|
|
untrusted = {
|
|
color = "darkred";
|
|
memory = 4096;
|
|
cpus = 4;
|
|
network = {
|
|
netvm = "netvm";
|
|
nameservers = [ "8.8.8.8" ];
|
|
};
|
|
guestConfig = [
|
|
vmsilo.nixosModules.optionalGuestSettings
|
|
];
|
|
guestPrograms = commonGuestPrograms;
|
|
};
|
|
|
|
trusted = {
|
|
color = "darkgreen";
|
|
memory = 4096;
|
|
cpus = 4;
|
|
network = {
|
|
netvm = "vpnvm";
|
|
nameservers = [ "8.8.8.8" ];
|
|
};
|
|
guestConfig = [
|
|
vmsilo.nixosModules.optionalGuestSettings
|
|
];
|
|
guestPrograms = commonGuestPrograms;
|
|
};
|
|
|
|
vpnvm = {
|
|
# VPN VM, other VMs with netvm="vpnvm" get trusted access
|
|
color = "darkgreen";
|
|
memory = 768;
|
|
cpus = 2;
|
|
gpu = false;
|
|
sound.playback = false;
|
|
network = {
|
|
isNetvm = true;
|
|
netvm = "netvm";
|
|
nameservers = [ "8.8.8.8" ];
|
|
};
|
|
guestConfig = [
|
|
vmsilo.nixosModules.optionalGuestSettings
|
|
{
|
|
networking = {
|
|
wireguard.enable = true;
|
|
wireguard.interfaces.wg-mgmt = {
|
|
privateKeyFile = "/home/user/wg.key"; # Place private key at /shared/netvm/wg.key
|
|
ips = [
|
|
"192.168.0.5/32"
|
|
];
|
|
peers = [
|
|
{
|
|
name = "router";
|
|
publicKey = "xxxpeerpubkey==";
|
|
endpoint = "wireguard.example.org:51820";
|
|
allowedIPs = [
|
|
"192.168.0.0/24"
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|
|
];
|
|
};
|
|
|
|
netvm = {
|
|
color = "red";
|
|
autoStart = true;
|
|
memory = 768;
|
|
cpus = 2;
|
|
gpu = false;
|
|
sound.playback = false;
|
|
sharedHome = false;
|
|
network = {
|
|
isNetvm = true;
|
|
netvm = "host";
|
|
nameservers = [ "8.8.8.8" ];
|
|
};
|
|
guestConfig = [
|
|
vmsilo.nixosModules.optionalGuestSettings
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|