tobias/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-10 01:33:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

nixos/libvirtd: allow changing firewall backend (#432610)

Browse source
This commit is contained in:
Franz Pletz 2025-08-11 16:00:12 +02:00 committed by GitHub
parent 947be6f49d 28d3245201
commit 43a602c25d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/doc/manual/release-notes/rl-2511.section.md
View file

@ -170,6 +170,7 @@
- `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server. - `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.
- `libvirt` now supports using `nftables` backend. - `libvirt` now supports using `nftables` backend.
- The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd.
- `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively. - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.
- `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec` - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec`

19
nixos/modules/virtualisation/libvirtd.nix
View file

@ -31,6 +31,10 @@ let
''} ''}
${cfg.qemu.verbatimConfig} ${cfg.qemu.verbatimConfig}
''; '';
networkConfigFile = pkgs.writeText "network.conf" ''
firewall_backend = "${cfg.firewallBackend}"
'';
dirName = "libvirt"; dirName = "libvirt";
subDirs = list: [ dirName ] ++ map (e: "${dirName}/${e}") list; subDirs = list: [ dirName ] ++ map (e: "${dirName}/${e}") list;
@ -385,6 +389,18 @@ in
Whether to configure OpenSSH to use the [SSH Proxy](https://libvirt.org/ssh-proxy.html). Whether to configure OpenSSH to use the [SSH Proxy](https://libvirt.org/ssh-proxy.html).
''; '';
}; };
firewallBackend = mkOption {
type = types.enum [
"iptables"
"nftables"
];
default = if config.networking.nftables.enable then "nftables" else "iptables";
defaultText = lib.literalExpression "if config.networking.nftables.enable then \"nftables\" else \"iptables\"";
description = ''
The backend used to setup virtual network firewall rules.
'';
};
}; };
###### implementation ###### implementation
@ -462,6 +478,9 @@ in
# Copy generated qemu config to libvirt directory # Copy generated qemu config to libvirt directory
cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf
# Copy generated network config to libvirt directory
cp -f ${networkConfigFile} /var/lib/${dirName}/network.conf
# stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs # stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs
for emulator in ${cfg.package}/libexec/libvirt_lxc ${cfg.qemu.package}/bin/qemu-kvm ${cfg.qemu.package}/bin/qemu-system-*; do for emulator in ${cfg.package}/libexec/libvirt_lxc ${cfg.qemu.package}/bin/qemu-kvm ${cfg.qemu.package}/bin/qemu-system-*; do
ln -s --force "$emulator" /run/${dirName}/nix-emulators/ ln -s --force "$emulator" /run/${dirName}/nix-emulators/