pyrox.dev / nixpkgs
lol
fork atom

nixos/qemu-vm: add option "restrictNetwork"

This adds an option to the qemu virtualisation module to isolate the
guest's from the host's and outside networks.

This is particularly useful for development sandboxes for example.

The option is disabled by default to preserve the current behaviour.

pacien e039cb9d 6b572437

options
unified split
Changed files
+16 -1
nixos
modules
virtualisation
qemu-vm.nix
+16 -1
nixos/modules/virtualisation/qemu-vm.nix 
···

       
528

       
528

       
 

       
        '';


     

       
529

       
529

       
 

       
    };


     

       
530

       
530

       
 

       



     

       

       
531

       
+

       
    virtualisation.restrictNetwork =


     

       

       
532

       
+

       
      mkOption {


     

       

       
533

       
+

       
        type = types.bool;


     

       

       
534

       
+

       
        default = false;


     

       

       
535

       
+

       
        example = true;


     

       

       
536

       
+

       
        description =


     

       

       
537

       
+

       
          lib.mdDoc ''


     

       

       
538

       
+

       
            If this option is enabled, the guest will be isolated, i.e. it will


     

       

       
539

       
+

       
            not be able to contact the host and no guest IP packets will be


     

       

       
540

       
+

       
            routed over the host to the outside. This option does not affect


     

       

       
541

       
+

       
            any explicitly set forwarding rules.


     

       

       
542

       
+

       
          '';


     

       

       
543

       
+

       
      };


     

       

       
544

       
+

       



     

       
531

       
545

       
 

       
    virtualisation.vlans =


     

       
532

       
546

       
 

       
      mkOption {


     

       
533

       
547

       
 

       
        type = types.listOf types.ints.unsigned;


     
···

       
934

       
948

       
 

       
              else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" +


     

       
935

       
949

       
 

       
                   "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}',"


     

       
936

       
950

       
 

       
          );


     

       

       
951

       
+

       
        restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,";


     

       
937

       
952

       
 

       
      in


     

       
938

       
953

       
 

       
      [


     

       
939

       
954

       
 

       
        "-net nic,netdev=user.0,model=virtio"


     

       
940

       

       
-

       
        "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\""


     

       

       
955

       
+

       
        "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\""


     

       
941

       
956

       
 

       
      ];


     

       
942

       
957

       
 

       



     

       
943

       
958

       
 

       
    # FIXME: Consolidate this one day.