QEMU VM Baseliner
docadd: added shout out and note on credential repo
Initial commit



You can also use your local clone with git send-email.

 ___               _ _
| _ ) __ _ ___ ___| (_)_ _  ___ _ _
| _ \/ _` (_-</ -_) | | ' \/ -_) '_|

#QEMU/KVM image build system


sudo cp installer/local_br0 /etc/network/interfaces.d/br0 && ifup br0
sudo cp installer/local_macvtap0 /etc/network/interfaces.d/macvtap0 && ifup macvtap0
echo "source /etc/network/interfaces.d/macvtap0" >> /etc/network/interfaces
sudo make clean
CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git" make
make start


sudo apt show pass
pip3 install shyaml
sudo go get github.com/hashicorp/packer

The default initial password can be set via

pass edit account/ops

Please see the pass manpage for more information


It is suggested to use direnv to manage the environment variables that configure operation.


export CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git"
export PASSWORD_PATH="production/ops"
export INSTALL_DIR="/data/production"

#Install - Single VM

sudo make install_host.example.org


This tool builds Debian VMs using QEMU, packer, and Ansible.


The result of this system should be to generate a baseline image in a consistent and reproducible way. It is not meant to complete system configuration, but to make it possible.

  • make start should produce a running system
  • Baseline networking should be active and configured
  • Networking is limited to ('bastion', 'internal', 'external') interfaces
  • sshd
    • ops account is created with administrators authorized_keys
    • passwords disabled
    • sshd running on port 2222
    • known_hosts should be automatically updated


#make <hostname>

Builds a VM from a host_<hostname>.yml config file


qemu disk image: build/host.example.org/host.example.org.raw The make install target will install build artifacts to /data/vm/<hostname> by default. Set INSTALL_DIR to customize.



CREDENTIAL_REPO is a signed git repository that contains the ssh keys of all of the administrators. These keys should be stored in ssh/id*.pub and will be added to the authorized_keys for the the ops user.

An example is available at https://git.sr.ht/~lucidone/baseliner_security.git

#Security / Permissions

The user building VMs should be a memeber of group kvm and netdev.

If sudo is prefered, modifications will need to be made to securely pass the image password as an environmental variable edit /etc/sudoers with visudo

Defaults        env_keep+="IMAGE_PASSWORD"

#PCIe Passthrough

There is some support for vfio-pci based network devices. For more details, please see this.




baseliner is distributed under the terms of both

at your option.