Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tv: add systemd.services.xu-qemu0 + xu-qemu0-monitor

Browse Source
This commit is contained in:
tv 2016-02-13 19:57:45 +01:00
parent 0e35bc5c19
commit 3ca0df0447
2 changed files with 61 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tv/2configs/default.nix
View File

@ -44,6 +44,7 @@ with lib;
tv = { tv = {
isNormalUser = true; isNormalUser = true;
uid = 1337; uid = 1337;
extraGroups = [ "tv" ];
}; };
}; };
}; };

86
tv/2configs/xu-qemu0.nix
View File

@ -7,8 +7,7 @@ let
in in
# usage: # usage:
# sudo -iu df xu-qemu0 # echo set_password vnc correcthorze | xu-qemu0-monitor
# set_password vnc correcthorze
# #
# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return # vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return
# #
@ -16,6 +15,13 @@ in
# #
# make [install] system=xu-qemu0 target_host=10.56.0.101 # make [install] system=xu-qemu0 target_host=10.56.0.101
# TODO iptables -A INPUT -p udp -m udp --dport bootps -j ACCEPT
# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
# TODO echo 1 > /proc/sys/net/ipv4/ip_forward
# TODO ifconfig qemubr0 10.56.0.1/24 up
with lib; with lib;
@ -43,7 +49,6 @@ with lib;
}; };
users.groups.qemu-users.gid = genid "qemu-users"; users.groups.qemu-users.gid = genid "qemu-users";
users.users.df.extraGroups = [ "qemu-users" ];
environment.etc."qemu/bridge.conf".text = '' environment.etc."qemu/bridge.conf".text = ''
allow qemubr0 allow qemubr0
@ -53,29 +58,58 @@ with lib;
pkgs.vncdotool pkgs.vncdotool
]; ];
krebs.per-user.df.packages = [ users.users.xu-qemu0 = {
(pkgs.writeDashBin "xu-qemu0" '' createHome = true;
set -efux group = "qemu-users";
img=$HOME/tmp/xu-qemu0.raw home = "/home/xu-qemu0";
if ! test -e "$img"; then uid = genid "xu-qemu0";
${pkgs.coreutils}/bin/mkdir -p "$(${pkgs.coreutils}/bin/dirname "$img")" };
${pkgs.kvm}/bin/qemu-img create "$img" 10G
fi systemd.services.xu-qemu0 = let
exec ${pkgs.kvm}/bin/qemu-kvm \ in {
-monitor stdio \ after = [ "network.target" "systemd-resolved.service" ];
-boot order=cd \ wantedBy = [ "multi-user.target" ];
-cdrom ${pkgs.fetchurl { serviceConfig = {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; User = "xu-qemu0";
sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9"; SyslogIdentifier = "xu-qemu0";
}} \ ExecStart = pkgs.writeDash "xu-qemu0" ''
-m 1024 \ set -efu
-netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \ img=$HOME/tmp/xu-qemu0.raw
-net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \ if ! test -e "$img"; then
-drive file="$img",format=raw \ ${pkgs.coreutils}/bin/mkdir -p "$(${pkgs.coreutils}/bin/dirname "$img")"
-display vnc=:1,websocket=5701,password,lossy \ ${pkgs.kvm}/bin/qemu-img create "$img" 10G
-name xu-qemu0 \ fi
'') exec ${pkgs.kvm}/bin/qemu-kvm \
]; -monitor unix:$HOME/xu-qemu0.sock,server,nowait \
-boot order=cd \
-cdrom ${pkgs.fetchurl {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9";
}} \
-m 1024 \
-netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \
-net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \
-drive file="$img",format=raw \
-display vnc=:1,websocket=5701,password,lossy \
-name xu-qemu0 \
'';
};
};
system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
src=${pkgs.execve "xu-qemu0-monitor" {
# TODO toC should handle derivation, then we don't have to "${...}" here
filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
exec ${pkgs.socat}/bin/socat \
stdio \
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/xu-qemu0.sock \
''}";
}}
dst=${config.security.wrapperDir}/xu-qemu0-monitor
cp "$src" "$dst"
chown xu-qemu0.tv "$dst"
chmod 4710 "$dst"
'';
#TODO krebs.setuid.qemu-bridge-helper = { #TODO krebs.setuid.qemu-bridge-helper = {
# filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; # filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";