vmix run command, virtio-drivers template, delay-oobe-run flag

CLI:
- `vmix run <qcow2>` boots image with QEMU (SDL if DISPLAY, snapshot mode)
- --generalize supports delay-oobe-run=true to defer OOBE + activation
  to first boot on real hardware (for physical disk deployments)

Templates:
- essentials.virtioDrivers: installs VirtIO drivers only (no guest agent)
  used in laptop bundle for network access during Office download
- generalize: delayOobeRun flag controls sysprep /shutdown vs /reboot
  delays OOBE, user creation and HWID activation to target device

Build:
- suppress XDG_RUNTIME_DIR and homeless-shelter warnings in SDL mode
- remove invalid ICH9-LMB global properties

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/images/windows/templates/default.nix

@@ -19,6 +19,7 @@ in rec {
     vcppRuntimes    = import ./essentials/vcpp-runtimes.nix args;
     bestPerformance      = import ./essentials/best-performance.nix args;
     clearFileAssociations = import ./essentials/clear-file-associations.nix args;
+    virtioDrivers   = import ./essentials/virtio-drivers.nix args;
   };
 
   # Applications
@@ -35,7 +36,7 @@ in rec {
   # Default file associations policy
   defaultApps = import ./default-apps.nix args;
 
-  # Generalize (sysprep + OOBE)
+  # Generalize (sysprep + OOBE). Pass seal=true for hardware deployment.
   generalize = import ./generalize.nix args;
 
   # Offline registry templates
@@ -59,10 +60,10 @@ in rec {
       reg.performanceTweaks
       apps.edgeWebview
       apps.thorium
-      apps.sandboxie
       apps.sevenZip
       apps.vlc
       apps.imageGlass
+      essentials.virtioDrivers # needed for network during Office download
       apps.office
     ];
   };

lib/images/windows/templates/essentials/virtio-drivers.nix

@@ -0,0 +1,18 @@
+# Install VirtIO drivers only (no guest agent or SPICE)
+# Used during build for network access, not needed on real hardware
+{ drivers, ... }:
+{
+  name = "virtio-drv";
+  cdroms = [ drivers.virtio-iso ];
+  auditScript = ''
+    @echo off
+    if exist D:\cert\virtio_win_cert.cer (
+      certutil -addstore TrustedPublisher D:\cert\virtio_win_cert.cer
+    )
+    :: Install drivers via pnputil (network, storage, balloon, serial)
+    for %%d in (NetKVM vioinput viostor vioscsi Balloon vioserial) do (
+      if exist "D:\%%d\w10\amd64" pnputil /add-driver "D:\%%d\w10\amd64\*.inf" /install 2>nul
+      if exist "D:\%%d\w11\amd64" pnputil /add-driver "D:\%%d\w11\amd64\*.inf" /install 2>nul
+    )
+  '';
+}

lib/images/windows/templates/generalize.nix

@@ -19,6 +19,9 @@ in
   timezone ? "UTC",
   # Desktop background solid color as hex string (e.g. "8e8cd8")
   bgColor ? null,
+  # delayOobeRun = true: sysprep only, OOBE + activation on real hardware
+  # delayOobeRun = false: sysprep + OOBE + activation in build VM
+  delayOobeRun ? false,
 }: let
   # Convert "8e8cd8" hex to "142 140 216" decimal RGB for Windows registry
   hexToRgbStr = hex: let
@@ -74,7 +77,7 @@ in
     del /q C:\vmix-audit-script.cmd 2>nul
     del /q C:\vmix-audit-wrapper.cmd 2>nul
 
-    shutdown /s /t 5 /c "vmix generalize complete"
+    ${if delayOobeRun then "" else "shutdown /s /t 5 /c \"vmix generalize complete\""}
     del /q C:\post-oobe.cmd 2>nul
   '';
 
@@ -145,16 +148,17 @@ in
     </unattend>
   '';
 in {
-  name = "generalize";
+  name = if delayOobeRun then "sealed" else "generalize";
   uploads = [
     { source = oobeXml; dest = "/oobe-unattend.xml"; }
     { source = postOobeScript; dest = "/post-oobe.cmd"; }
     { source = masScript; dest = "/MAS_AIO.cmd"; }
   ];
-  # Sysprep reboots into OOBE within the same QEMU session
+  # delayOobeRun: sysprep + shutdown — OOBE runs on real hardware
+  # generalize: sysprep + reboot into OOBE in the same QEMU session
   auditScript = ''
     @echo off
-    C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /reboot /quiet /unattend:C:\oobe-unattend.xml
+    C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe ${if delayOobeRun then "/shutdown" else "/reboot"} /quiet /unattend:C:\oobe-unattend.xml
   '';
 }