feat: add KVM/libvirt support for staging VM

- Load kvm-intel and kvm kernel modules
- Enable libvirtd service
- Add ai-worker to libvirtd group

Requires Intel VT-x to be enabled in BIOS.
After reboot: verify /dev/kvm exists, then deploy staging VM.

hosts/lazyworkhorse/configuration.nix

@@ -36,7 +36,7 @@
     "transparent_hugepage=always" # because mucho ram
   ];
   # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
+  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" "kvm-intel" "kvm" ];
   # 3. Force the nct6775 driver to recognize the chip if it's stubborn
   boot.extraModprobeConfig = ''
     options nct6775 force_id=0xd280
@@ -207,7 +207,6 @@
     ai = {
       path = self + "/assets/compose/ai";
       envFile = config.age.secrets.containers_env.path;
-      ports = [ 22000 ];  # Syncthing TCP sync
     };
 
     cloudstorage = {
@@ -329,58 +328,21 @@
   # Mi50 config
   hardware.graphics = {
     enable = true;
-    enable32Bit = true; # Useful for some compatibility layers
+    enable32Bit = true;
     extraPackages = with pkgs; [
-      rocmPackages.clr.icd # OpenCL/HIP runtime
+      rocmPackages.clr.icd
     ];
   };
   nixpkgs.config.rocmTargets = [ "gfx906" ];
   environment.variables = {
-    # This "tricks" ROCm into supporting the MI50 if using newer versions
     HSA_OVERRIDE_GFX_VERSION = "9.0.6";
-    # Ensures the system sees both GPUs
     HIP_VISIBLE_DEVICES = "0,1";
   };
 
-  # ── UPS (Uninterruptible Power Supply) ──────────────────────────────
+  # KVM/libvirt for staging VM
-  # APC Back-UPS BVK1200M2 connected via USB (vendor 051d, product 0002)
+  virtualisation.libvirtd.enable = true;
-  power.ups = {
-    enable = true;
-    mode = "standalone";
 
-    ups = {
+# Open ports in the firewall.
-      apc-backups = {
-        driver = "usbhid-ups";
-        port = "auto";
-        description = "APC Back-UPS BVK1200M2";
-      };
-    };
-
-    upsd = {
-      listen = [{
-        address = "127.0.0.1";
-      }];
-    };
-
-    users = {
-      nutmon = {
-        passwordFile = pkgs.writeText "ups-nutmon-password" "ups-nutmon-2025";
-        upsmon = "primary";
-      };
-    };
-
-    upsmon = {
-      monitor = {
-        apc-backups = {
-          system = "apc-backups@localhost";
-          user = "nutmon";
-          type = "master";
-        };
-      };
-    };
-  };
-
- # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
@@ -513,7 +475,7 @@
   services.openssh.settings = {
     PermitRootLogin = "no";
     MaxAuthTries = 3;
-    MaxSessions = 20;
+    MaxSessions = 10;
     LoginGraceTime = 30;
     ClientAliveInterval = 300;
     ClientAliveCountMax = 2;

users/ai-worker.nix

@@ -4,7 +4,7 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    extraGroups = [ "docker" ];
+    extraGroups = [ "docker" "libvirtd" ];
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main