summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-02-13 19:57:45 +0100
committertv <tv@krebsco.de>2016-02-13 19:58:24 +0100
commit3ca0df0447c30d83c14144ad6f9a95cd4514117c (patch)
treeddee6c7e542731a4fe269e5ee2c59f3383d27c99
parent0e35bc5c193916a5424689d04234978d3c57ecf5 (diff)
tv: add systemd.services.xu-qemu0 + xu-qemu0-monitor
-rw-r--r--tv/2configs/default.nix1
-rw-r--r--tv/2configs/xu-qemu0.nix86
2 files changed, 61 insertions, 26 deletions
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index dee0b15b1..2edaed76d 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -44,6 +44,7 @@ with lib;
tv = {
isNormalUser = true;
uid = 1337;
+ extraGroups = [ "tv" ];
};
};
};
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 836603663..4584dcd7c 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -7,8 +7,7 @@ let
in
# usage:
-# sudo -iu df xu-qemu0
-# set_password vnc correcthorze
+# echo set_password vnc correcthorze | xu-qemu0-monitor
#
# vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return
#
@@ -16,6 +15,13 @@ in
#
# make [install] system=xu-qemu0 target_host=10.56.0.101
+# TODO iptables -A INPUT -p udp -m udp --dport bootps -j ACCEPT
+# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
+# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
+# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
+# TODO echo 1 > /proc/sys/net/ipv4/ip_forward
+# TODO ifconfig qemubr0 10.56.0.1/24 up
with lib;
@@ -43,7 +49,6 @@ with lib;
};
users.groups.qemu-users.gid = genid "qemu-users";
- users.users.df.extraGroups = [ "qemu-users" ];
environment.etc."qemu/bridge.conf".text = ''
allow qemubr0
@@ -53,29 +58,58 @@ with lib;
pkgs.vncdotool
];
- krebs.per-user.df.packages = [
- (pkgs.writeDashBin "xu-qemu0" ''
- set -efux
- img=$HOME/tmp/xu-qemu0.raw
- if ! test -e "$img"; then
- ${pkgs.coreutils}/bin/mkdir -p "$(${pkgs.coreutils}/bin/dirname "$img")"
- ${pkgs.kvm}/bin/qemu-img create "$img" 10G
- fi
- exec ${pkgs.kvm}/bin/qemu-kvm \
- -monitor stdio \
- -boot order=cd \
- -cdrom ${pkgs.fetchurl {
- url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
- sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9";
- }} \
- -m 1024 \
- -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \
- -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \
- -drive file="$img",format=raw \
- -display vnc=:1,websocket=5701,password,lossy \
- -name xu-qemu0 \
- '')
- ];
+ users.users.xu-qemu0 = {
+ createHome = true;
+ group = "qemu-users";
+ home = "/home/xu-qemu0";
+ uid = genid "xu-qemu0";
+ };
+
+ systemd.services.xu-qemu0 = let
+ in {
+ after = [ "network.target" "systemd-resolved.service" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ User = "xu-qemu0";
+ SyslogIdentifier = "xu-qemu0";
+ ExecStart = pkgs.writeDash "xu-qemu0" ''
+ set -efu
+ img=$HOME/tmp/xu-qemu0.raw
+ if ! test -e "$img"; then
+ ${pkgs.coreutils}/bin/mkdir -p "$(${pkgs.coreutils}/bin/dirname "$img")"
+ ${pkgs.kvm}/bin/qemu-img create "$img" 10G
+ fi
+ exec ${pkgs.kvm}/bin/qemu-kvm \
+ -monitor unix:$HOME/xu-qemu0.sock,server,nowait \
+ -boot order=cd \
+ -cdrom ${pkgs.fetchurl {
+ url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
+ sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9";
+ }} \
+ -m 1024 \
+ -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \
+ -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \
+ -drive file="$img",format=raw \
+ -display vnc=:1,websocket=5701,password,lossy \
+ -name xu-qemu0 \
+ '';
+ };
+ };
+
+ system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
+ src=${pkgs.execve "xu-qemu0-monitor" {
+ # TODO toC should handle derivation, then we don't have to "${...}" here
+ filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
+ exec ${pkgs.socat}/bin/socat \
+ stdio \
+ UNIX-CONNECT:${config.users.users.xu-qemu0.home}/xu-qemu0.sock \
+ ''}";
+ }}
+ dst=${config.security.wrapperDir}/xu-qemu0-monitor
+ cp "$src" "$dst"
+ chown xu-qemu0.tv "$dst"
+ chmod 4710 "$dst"
+ '';
#TODO krebs.setuid.qemu-bridge-helper = {
# filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";