diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:40 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:40 +0100 |
| commit | 90f98cb17a432beaffd7975f631ab31afdfded1b (patch) | |
| tree | 7ca8fc33ad3dee54cdb2278e85773e7c0d5c072b | |
| parent | 1f306501dea892c3c90bdfdddc9a9cc668865e87 (diff) | |
| download | dotfiles-90f98cb17a432beaffd7975f631ab31afdfded1b.tar.gz dotfiles-90f98cb17a432beaffd7975f631ab31afdfded1b.tar.bz2 dotfiles-90f98cb17a432beaffd7975f631ab31afdfded1b.zip | |
feat: add libvirt/qemu/swtpm stack for Sii Intune VM
Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.
- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
management, mirroring the existing networkd polkit rule
Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.
| -rw-r--r-- | etc/polkit-1/rules.d/50-libvirt-wheel.rules | 13 | ||||
| -rw-r--r-- | meta/work.txt | 7 | ||||
| -rw-r--r-- | systemd-units/system.txt | 4 |
3 files changed, 24 insertions, 0 deletions
diff --git a/etc/polkit-1/rules.d/50-libvirt-wheel.rules b/etc/polkit-1/rules.d/50-libvirt-wheel.rules new file mode 100644 index 0000000..fac69bd --- /dev/null +++ b/etc/polkit-1/rules.d/50-libvirt-wheel.rules @@ -0,0 +1,13 @@ +// Allow members of the `wheel` group to manage libvirt (start/stop VMs, +// edit domains, attach devices) without a polkit password prompt. +// This single-user system already trusts wheel for administrative work +// via sudo-rs; libvirt's polkit gate is a separate path that does not +// honour sudoers, so a polkit rule is the idiomatic fix. +polkit.addRule(function (action, subject) { + if ( + action.id == "org.libvirt.unix.manage" && + subject.isInGroup("wheel") + ) { + return polkit.Result.YES; + } +}); diff --git a/meta/work.txt b/meta/work.txt index 8ea325e..c7b04c9 100644 --- a/meta/work.txt +++ b/meta/work.txt @@ -2,10 +2,17 @@ bear compiledb cuda cvise +dnsmasq +edk2-ovmf git-lfs intel-oneapi-dpcpp-cpp +libvirt llvm openmp python-pytest +qemu-desktop snx-rs +swtpm +virt-manager +virtiofsd xdot diff --git a/systemd-units/system.txt b/systemd-units/system.txt index 154ce4c..582a508 100644 --- a/systemd-units/system.txt +++ b/systemd-units/system.txt @@ -31,3 +31,7 @@ tor.service # --- nix (socket-activated builder daemon; the .service spawns on first # client connect, the .socket is what gets enabled) --- nix-daemon.socket + +# --- libvirt (socket-activated; daemons spawn on first virsh/virt-manager +# connect, the .socket is what gets enabled) --- +libvirtd.socket |