From 55697e5d8959f8693530bfc448314e7f7a93478d Mon Sep 17 00:00:00 2001
From: Git Sagar <git@sagar.ch>
Date: Tue, 9 Jun 2026 10:06:41 +0530
Subject: [PATCH 1/3] switch from HWID to TSforge activation

- Switch MAS from /HWID to /Z-Windows (TSforge ZeroCID) which is
  hardware-independent and survives VM migration
- Re-install product key and restart SPP service before TSforge
  to restore licensing state after sysprep
- Add nicModel option to customizeImage and generalize for images
  without VirtIO drivers
- Update MAS activation script to latest version

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/images/windows/helpers/customizeImage.nix | 13 +++++++++++--
 lib/images/windows/templates/generalize.nix   | 11 +++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/lib/images/windows/helpers/customizeImage.nix b/lib/images/windows/helpers/customizeImage.nix
index 79dc155..19758b9 100644
--- a/lib/images/windows/helpers/customizeImage.nix
+++ b/lib/images/windows/helpers/customizeImage.nix
@@ -25,6 +25,10 @@
     smp ? 4,
     memSize ? 4096,
     nicModel ? null,
+    # Flatten COW chain into a standalone qcow2 (removes backing file dependency)
+    compact ? false,
+    # QEMU timeout in seconds (default 30 min, increase for Windows Update)
+    qemuTimeout ? 1800,
   }:
   let
     originalImageName = lib.strings.removeSuffix "-vmix" (lib.strings.removeSuffix ".qcow2" originalImage.name);
@@ -107,11 +111,11 @@
         ${cdromArgs} \
         -nic user,model=${if nicModel != null then nicModel else if isAHCI then "e1000" else "virtio-net-pci"}"
 
-      timeout 1800 qemu-system-x86_64 $VMIX_DISPLAY $QEMU_ARGS || \
+      timeout ${toString qemuTimeout} qemu-system-x86_64 $VMIX_DISPLAY $QEMU_ARGS || \
         if [[ "$VMIX_DISPLAY" == "-display sdl" ]]; then
           echo "=== vmix: SDL failed, retrying headless ==="
           cp ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd vars.fd && chmod +w vars.fd
-          timeout 1800 qemu-system-x86_64 -nographic $QEMU_ARGS
+          timeout ${toString qemuTimeout} qemu-system-x86_64 -nographic $QEMU_ARGS
         else
           exit 1
         fi
@@ -125,6 +129,11 @@
       [ -n "${diskSize}" ] && qemu-img resize ${resultImg} ${diskSize}
       ${virtWinRegMerge}
       ${auditBootCommands}
+      ${lib.optionalString compact ''
+      echo "=== vmix: compacting image ==="
+      qemu-img convert -O qcow2 ${resultImg} compact.qcow2
+      mv compact.qcow2 ${resultImg}
+      ''}
       mv ${resultImg} $out
     '';
   builtImage = pkgs.runCommand customImageName ({
diff --git a/lib/images/windows/templates/generalize.nix b/lib/images/windows/templates/generalize.nix
index 0caa5b9..cf1f2e2 100644
--- a/lib/images/windows/templates/generalize.nix
+++ b/lib/images/windows/templates/generalize.nix
@@ -81,9 +81,16 @@ in
     powershell -Command "Get-AppxPackage *MicrosoftEdgeDevToolsClient* | Remove-AppxPackage -ErrorAction SilentlyContinue"
 
 
-    :: Activate Windows using HWID method
+    :: Re-install product key and licenses to restore activation IDs after sysprep
+    cscript //nologo C:\Windows\System32\slmgr.vbs /ipk M7XTQ-FN8P6-TTKYV-9D4CC-J462D
+    cscript //nologo C:\Windows\System32\slmgr.vbs /rilc
+    :: Restart SPP service and wait for it to settle
+    net stop sppsvc /y 2>nul
+    net start sppsvc
+    ping -n 10 127.0.0.1 >nul
+    :: Activate Windows using TSforge
     if exist C:\MAS_AIO.cmd (
-      echo. | call C:\MAS_AIO.cmd /HWID
+      echo. | call C:\MAS_AIO.cmd /Z-Windows
     )
     :: Activate Office using Ohook method (if Office is installed)
     if exist "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" (

From 192ea9b54d346108de913a1a12d928c6ea3f58a7 Mon Sep 17 00:00:00 2001
From: Git Sagar <git@sagar.ch>
Date: Mon, 15 Jun 2026 10:04:52 -0300
Subject: [PATCH 2/3] fix: use vmix's own locked nixpkgs for all image building

The NixOS module was importing lib directly with the host's pkgs,
causing image customization to use the host's guestfs-tools instead
of vmix's locked version. guestfs-tools 1.52.2 (from host nixpkgs)
has a bug that overwrites /boot/grub/grub.cfg with resolv.conf
content, breaking VM boot.

Now vmixLib is built once in flake.nix with vmix's own nixpkgs and
passed through the overlay to pkgs.vmixLib. Removes overlay.nix and
module.nix as the logic is inlined in flake.nix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 flake.nix         | 7 +++++--
 module.nix        | 6 ------
 nixos/default.nix | 6 ++----
 overlay.nix       | 7 -------
 4 files changed, 7 insertions(+), 19 deletions(-)
 delete mode 100644 module.nix
 delete mode 100644 overlay.nix

diff --git a/flake.nix b/flake.nix
index 9cbbbde..4ec2e5a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,9 +15,12 @@
     lib = pkgs.lib;
     vmixLib = import ./lib { inherit pkgs lib system; };
   in {
-    overlays.default = import ./overlay.nix;
+    overlays.default = final: prev: { inherit vmixLib; };
 
-    nixosModules.default = import ./module.nix;
+    nixosModules.default = { config, pkgs, lib, ... }: {
+      imports = [ ./nixos/default.nix ];
+      config.nixpkgs.overlays = [ self.overlays.default ];
+    };
 
     lib.${system} = vmixLib;
 
diff --git a/module.nix b/module.nix
deleted file mode 100644
index 1f26736..0000000
--- a/module.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./nixos/default.nix
-  ];
-}
\ No newline at end of file
diff --git a/nixos/default.nix b/nixos/default.nix
index 2944e04..75dce49 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  vmixLib = import ./../lib {inherit pkgs lib; };
+  vmixLib = pkgs.vmixLib;
   args = { inherit config pkgs lib vmixLib; };
 in
 {
@@ -15,6 +15,4 @@ in
       (types.submodule (import ./namespaceSubmoduleOptions.nix args));
     default = {};
   };
-
-  config.nixpkgs.overlays = [ (import ../overlay.nix) ];
-}
\ No newline at end of file
+}
diff --git a/overlay.nix b/overlay.nix
deleted file mode 100644
index 0f26929..0000000
--- a/overlay.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-final: prev:
-let
-  # Pin vmixLib to nixpkgs 25-11 so all VM images are built with a consistent toolchain
-  vmixPkgs = prev.v25-11 or prev;
-in {
-  vmixLib = vmixPkgs.callPackage ./lib {};
-}
\ No newline at end of file

From 40e80df84aebe62f197840725597f1fe6e225c78 Mon Sep 17 00:00:00 2001
From: Git Sagar <git@sagar.ch>
Date: Mon, 15 Jun 2026 11:06:06 -0300
Subject: [PATCH 3/3] fix: ensure ip forwarding is enabled for vmix namespaces

NixOS firewall sets conf.all.forwarding=false via mkDefault, which
overrides ip_forward=1. Use normal priority to beat mkDefault.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nixos/networks/config.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/networks/config.nix b/nixos/networks/config.nix
index faaafba..37bf6a9 100644
--- a/nixos/networks/config.nix
+++ b/nixos/networks/config.nix
@@ -286,5 +286,6 @@ in
 {
   config.systemd.services = namespaceGlobalService // networkServices;
   config.systemd.targets = networkTargets;
-  config.boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
+  config.boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
+  config.boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = lib.mkForce true;
 }