4 files changed, 106 insertions, 0 deletions

diff --git a/modules/core/virtualisation/default.nix b/modules/core/virtualisation/default.nix
new file mode 100644
index 0000000..97aa4b9
--- /dev/null
+++ b/modules/core/virtualisation/default.nix
@@ -0,0 +1,14 @@
+{
+  imports = [
+    ./docker.nix
+    ./libvirtd.nix
+    ./qemu.nix
+  ];
+
+  programs.extra-container.enable = true;
+
+  virtualisation = {
+    kvmgt.enable = true;
+    spiceUSBRedirection.enable = true;
+  };
+}
diff --git a/modules/core/virtualisation/docker.nix b/modules/core/virtualisation/docker.nix
new file mode 100644
index 0000000..c35beb6
--- /dev/null
+++ b/modules/core/virtualisation/docker.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+{
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "overlay2";
+    enableOnBoot = false;
+    liveRestore = true;
+    enableNvidia = lib.mkForce true;
+
+    daemon.settings = {
+      default-runtime = "nvidia";
+      experimental = true;
+      iptables = false;
+    };
+
+    autoPrune = {
+      enable = true;
+      dates = "daily";
+    };
+
+    rootless = {
+      enable = false;
+      setSocketVariable = true;
+
+      daemon.settings = {
+        default-runtime = "nvidia";
+        experimental = true;
+        iptables = false;
+      };
+    };
+  };
+}
diff --git a/modules/core/virtualisation/libvirtd.nix b/modules/core/virtualisation/libvirtd.nix
new file mode 100644
index 0000000..556135b
--- /dev/null
+++ b/modules/core/virtualisation/libvirtd.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
+
+  environment.systemPackages = with pkgs; [
+    virt-manager
+    virt-viewer
+  ];
+
+  virtualisation.libvirtd = {
+    enable = true;
+    onBoot = "ignore";
+    onShutdown = "shutdown";
+  };
+}
diff --git a/modules/core/virtualisation/qemu.nix b/modules/core/virtualisation/qemu.nix
new file mode 100644
index 0000000..849ead1
--- /dev/null
+++ b/modules/core/virtualisation/qemu.nix
@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    qemu_kvm
+    qemu
+  ];
+
+  hardware.pulseaudio.extraConfig = ''
+    load-module module-native-protocol-unix auth-group=qemu-libvirtd socket=/tmp/pulse-socket
+  '';
+
+  boot.kernelModules = [ "vfio-pci" ];
+
+  networking.firewall.trustedInterfaces = [
+    "virbr0"
+    "br0"
+  ];
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm"
+  '';
+
+  virtualisation.libvirtd.qemu = {
+    package = pkgs.qemu_kvm;
+    runAsRoot = true;
+    swtpm.enable = true;
+
+    ovmf = {
+      enable = true;
+
+      packages = [
+        (pkgs.OVMFFull.override {
+          secureBoot = true;
+          tpmSupport = true;
+        }).fd
+      ];
+    };
+
+    verbatimConfig = ''
+      namespaces = []
+
+      dynamic_ownership = 0
+    '';
+  };
+}