Start of GPU passthrough plan

machines/levitation/configuration.nix

@@ -33,6 +33,9 @@
         sshKey = config.sops.secrets."borg-ssh-key".path;
       };
     };
+    hardware = {
+      amdPassthrough = true;
+    };
     config = {
       isDesktop = true;
       setupGrub = true;

modules/linux/default.nix

@@ -102,6 +102,8 @@ in
         # Logitech hardware support
         # On by default if the system is a desktop
         logitech = mkDefaultOption "logitech" config.nathan.config.isDesktop;
+        # AMD Single gpu passthrough
+        amdPassthrough = mkEnableOption "logitech";
       };
       # Linux specific configuration
       config = {

modules/linux/hardware.nix

@@ -4,10 +4,34 @@ let
 in
 with lib;
 {
-  config = {
+  config = mkMerge [
-    hardware.logitech.wireless = mkIf nw.logitech {
+    {
-      enable = true;
+      hardware.logitech.wireless = mkIf nw.logitech {
-      enableGraphical = true;
+        enable = true;
-    };
+        enableGraphical = true;
-  };
+      };
+    }
+    (mkIf nw.amdPassthrough {
+      # Turn on IOMMU and the needed drivers
+      boot = {
+        kernelParams = [ "amd_iommu=on" ];
+        kernelModules = [ "kvm-amd" "vifo-pci" ];
+      };
+      # Enable libvirtd
+      virtualisation.libvirtd = {
+        enable = true;
+        onBoot = "ignore";
+        onShutdown = "shutdown";
+        qemu = {
+          ovmf = {
+            enable = true;
+            package = pkgs.OVMFFull;
+            runAsRoot = true;
+          };
+          swtpm.enable = true;
+        };
+      };
+
+    })
+  ];
 }

modules/linux/user.nix

@@ -3,50 +3,55 @@ let
   nc = config.nathan.config;
 in
 with lib; {
-  config = {
+  config = mkMerge [
-    users = {
+    {
-      # If we install the user and the system is hardended, then disable mutable users
+      users = {
-      mutableUsers = !(nc.installUser && nc.harden);
+        # If we install the user and the system is hardended, then disable mutable users
-      # Configure our user, if enabled
+        mutableUsers = !(nc.installUser && nc.harden);
-      users."${nc.user}" = mkMerge [
+        # Configure our user, if enabled
-        (mkIf nc.installUser
+        users."${nc.user}" = mkMerge [
-          {
+          (mkIf nc.installUser
-            # Darwin is special
+            {
-            home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan";
+              # Darwin is special
-            description = "Nathan McCarty";
+              home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan";
-            shell = pkgs.fish;
+              description = "Nathan McCarty";
-            # Linux specific configuration next
+              shell = pkgs.fish;
+              # Linux specific configuration next
+            })
+          (mkIf (nc.installUser && pkgs.stdenv.isLinux) {
+            isNormalUser = true;
+            extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ];
+            hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58.";
+            openssh.authorizedKeys.keys = [
+              # yubikey ssh key
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515"
+              # Macbook pro key
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local"
+              # Phone key
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost"
+              # Tablet key
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost"
+            ];
           })
-        (mkIf (nc.installUser && pkgs.stdenv.isLinux) {
+        ];
-          isNormalUser = true;
+      };
-          extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ];
+      # If we install the user, enable sudo
-          hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58.";
+      security.sudo.enable = mkDefault nc.installUser;
-          openssh.authorizedKeys.keys = [
+      # If we isntall the user, make them trusted
-            # yubikey ssh key
+      nix.settings.trusted-users =
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515"
+        if nc.installUser then [
-            # Macbook pro key
+          "nathan"
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local"
+        ] else [ ];
-            # Phone key
+      # If we setup the user, install the shell as well
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost"
+      environment.systemPackages =
-            # Tablet key
+        if nc.installUser then [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost"
+          pkgs.fish
-          ];
+        ] else [ ];
-        })
+      # Configure the timezone
-      ];
+      time.timeZone = "America/New_York";
-    };
+    }
-    # If we install the user, enable sudo
+    (mkIf config.nathan.config.hardware.amdPassthrough {
-    security.sudo.enable = mkDefault nc.installUser;
+      users.users."${nc.user}".extraGroups = [ "libvirtd" ];
-    # If we isntall the user, make them trusted
+    })
-    nix.settings.trusted-users =
+  ];
-      if nc.installUser then [
-        "nathan"
-      ] else [ ];
-    # If we setup the user, install the shell as well
-    environment.systemPackages =
-      if nc.installUser then [
-        pkgs.fish
-      ] else [ ];
-    # Configure the timezone
-    time.timeZone = "America/New_York";
-  };
 }