vmix run command, virtio-drivers template, delay-oobe-run flag

CLI:
- `vmix run <qcow2>` boots image with QEMU (SDL if DISPLAY, snapshot mode)
- --generalize supports delay-oobe-run=true to defer OOBE + activation
  to first boot on real hardware (for physical disk deployments)

Templates:
- essentials.virtioDrivers: installs VirtIO drivers only (no guest agent)
  used in laptop bundle for network access during Office download
- generalize: delayOobeRun flag controls sysprep /shutdown vs /reboot
  delays OOBE, user creation and HWID activation to target device

Build:
- suppress XDG_RUNTIME_DIR and homeless-shelter warnings in SDL mode
- remove invalid ICH9-LMB global properties

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/images/windows/helpers/customizeImage.nix

@@ -85,6 +85,8 @@
         VMIX_DF=$(ls -t /tmp/.vmix-display-* 2>/dev/null | head -1)
         if [ -n "$VMIX_DF" ]; then
           export DISPLAY=$(cat "$VMIX_DF")
+          export HOME=$(mktemp -d)
+          export XDG_RUNTIME_DIR=$HOME
           VMIX_DISPLAY="-display sdl"
         fi
       ''}
@@ -101,7 +103,6 @@
         -drive if=pflash,format=raw,file=vars.fd \
         -rtc base=localtime,clock=host \
         -device qemu-xhci -device usb-tablet \
-        -global ICH9-LMB.disable_s3=1 -global ICH9-LMB.disable_s4=1 \
         -drive file=${resultImg},format=qcow2,if=virtio \
         ${cdromArgs} \
         -nic user,model=virtio-net-pci

lib/images/windows/helpers/makeImage.nix

@@ -51,6 +51,8 @@ let
       VMIX_DF=$(ls -t /tmp/.vmix-display-* 2>/dev/null | head -1)
       if [ -n "$VMIX_DF" ]; then
         export DISPLAY=$(cat "$VMIX_DF")
+        export HOME=$(mktemp -d)
+        export XDG_RUNTIME_DIR=$HOME
         VMIX_DISPLAY="-display sdl"
       fi
     ''}
@@ -68,7 +70,6 @@ let
       -drive if=pflash,format=raw,file=vars.fd \
       -rtc base=localtime,clock=host \
       -device qemu-xhci -device usb-tablet \
-      -global ICH9-LMB.disable_s3=1 -global ICH9-LMB.disable_s4=1 \
       -drive file=disk.qcow2,format=qcow2,if=virtio \
       -drive file=${iso},media=cdrom,readonly=on \
       -drive file=${drivers.virtio-iso},media=cdrom,readonly=on \

lib/images/windows/templates/default.nix

@@ -19,6 +19,7 @@ in rec {
     vcppRuntimes    = import ./essentials/vcpp-runtimes.nix args;
     bestPerformance      = import ./essentials/best-performance.nix args;
     clearFileAssociations = import ./essentials/clear-file-associations.nix args;
+    virtioDrivers   = import ./essentials/virtio-drivers.nix args;
   };
 
   # Applications
@@ -35,7 +36,7 @@ in rec {
   # Default file associations policy
   defaultApps = import ./default-apps.nix args;
 
-  # Generalize (sysprep + OOBE)
+  # Generalize (sysprep + OOBE). Pass seal=true for hardware deployment.
   generalize = import ./generalize.nix args;
 
   # Offline registry templates
@@ -59,10 +60,10 @@ in rec {
       reg.performanceTweaks
       apps.edgeWebview
       apps.thorium
-      apps.sandboxie
       apps.sevenZip
       apps.vlc
       apps.imageGlass
+      essentials.virtioDrivers # needed for network during Office download
       apps.office
     ];
   };

lib/images/windows/templates/essentials/virtio-drivers.nix

@@ -0,0 +1,18 @@
+# Install VirtIO drivers only (no guest agent or SPICE)
+# Used during build for network access, not needed on real hardware
+{ drivers, ... }:
+{
+  name = "virtio-drv";
+  cdroms = [ drivers.virtio-iso ];
+  auditScript = ''
+    @echo off
+    if exist D:\cert\virtio_win_cert.cer (
+      certutil -addstore TrustedPublisher D:\cert\virtio_win_cert.cer
+    )
+    :: Install drivers via pnputil (network, storage, balloon, serial)
+    for %%d in (NetKVM vioinput viostor vioscsi Balloon vioserial) do (
+      if exist "D:\%%d\w10\amd64" pnputil /add-driver "D:\%%d\w10\amd64\*.inf" /install 2>nul
+      if exist "D:\%%d\w11\amd64" pnputil /add-driver "D:\%%d\w11\amd64\*.inf" /install 2>nul
+    )
+  '';
+}

lib/images/windows/templates/generalize.nix

@@ -19,6 +19,9 @@ in
   timezone ? "UTC",
   # Desktop background solid color as hex string (e.g. "8e8cd8")
   bgColor ? null,
+  # delayOobeRun = true: sysprep only, OOBE + activation on real hardware
+  # delayOobeRun = false: sysprep + OOBE + activation in build VM
+  delayOobeRun ? false,
 }: let
   # Convert "8e8cd8" hex to "142 140 216" decimal RGB for Windows registry
   hexToRgbStr = hex: let
@@ -74,7 +77,7 @@ in
     del /q C:\vmix-audit-script.cmd 2>nul
     del /q C:\vmix-audit-wrapper.cmd 2>nul
 
-    shutdown /s /t 5 /c "vmix generalize complete"
+    ${if delayOobeRun then "" else "shutdown /s /t 5 /c \"vmix generalize complete\""}
     del /q C:\post-oobe.cmd 2>nul
   '';
 
@@ -145,16 +148,17 @@ in
     </unattend>
   '';
 in {
-  name = "generalize";
+  name = if delayOobeRun then "sealed" else "generalize";
   uploads = [
     { source = oobeXml; dest = "/oobe-unattend.xml"; }
     { source = postOobeScript; dest = "/post-oobe.cmd"; }
     { source = masScript; dest = "/MAS_AIO.cmd"; }
   ];
-  # Sysprep reboots into OOBE within the same QEMU session
+  # delayOobeRun: sysprep + shutdown — OOBE runs on real hardware
+  # generalize: sysprep + reboot into OOBE in the same QEMU session
   auditScript = ''
     @echo off
-    C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /reboot /quiet /unattend:C:\oobe-unattend.xml
+    C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe ${if delayOobeRun then "/shutdown" else "/reboot"} /quiet /unattend:C:\oobe-unattend.xml
   '';
 }