{ config, pkgs, lib, vmixLib, ... }: with lib; with vmixLib.network; let vmixCfg = config.vmix; mkShortIfaceName = prefix: seed: "${prefix}-${builtins.substring 0 8 (builtins.hashString "sha256" seed)}"; mkServices4aVMInNamespace = spaceName: vmName: cfg: let vmCfg = cfg // { name = vmName; }; netCfg = vmCfg.networks; mkTap4aLan = lanName: tapCfg: let tapInterfaceName = mkShortIfaceName "vt" "${spaceName}-${vmCfg.name}-${lanName}"; lanInterfaceName = "brx-${lanName}"; in { name = lanName; iface = tapInterfaceName; mac = tapCfg.mac; create = '' ip tuntap add dev ${tapInterfaceName} mode tap ip link set dev ${tapInterfaceName} up ip link set dev ${tapInterfaceName} master ${lanInterfaceName} '' + lib.optionalString (tapCfg.ip != null) '' # Make the static ip somehow part of the script so nixOs thinks the service has changed when the IP changes, which will trigger a VM restart. # So whenever IP changes, VM will restart automatically # The IP is actually bein assigned to VM by dnsmasq, when VM requests it via DHCP # Static IP - ${tapCfg.ip} ''; delete = '' ip link del ${tapInterfaceName} ''; }; mkMacvtap = macvtapName: macvtapVmCfg: let macvtapNetworkCfg = config.vmix.namespaces.${spaceName}.networks.macvtaps.${macvtapName}; macvtapInterfaceName = mkShortIfaceName "mt" "${spaceName}-${vmCfg.name}-${macvtapNetworkCfg.uplink.iface}-${macvtapName}"; uplinkNamespaceArg = lib.optionalString (macvtapNetworkCfg.uplink.namespace != null) "-n ${macvtapNetworkCfg.uplink.namespace}"; in { name = macvtapName; iface = macvtapInterfaceName; mac = macvtapVmCfg.mac; create = '' ip ${uplinkNamespaceArg} link add link ${macvtapNetworkCfg.uplink.iface} name ${macvtapInterfaceName} type macvtap mode bridge ${lib.optionalString (macvtapVmCfg.mac != null) "ip ${uplinkNamespaceArg} link set dev ${macvtapInterfaceName} address ${macvtapVmCfg.mac}"} ip ${uplinkNamespaceArg} link set ${macvtapInterfaceName} netns ${spaceName}.vmix ip -n ${spaceName}.vmix link set dev ${macvtapInterfaceName} up ''; delete = '' ip -n ${spaceName}.vmix link del ${macvtapInterfaceName} ''; }; allTaps = (mapAttrsToList mkTap4aLan netCfg.lans); allMacvtaps = (mapAttrsToList mkMacvtap netCfg.macvtaps); createTapsforLansScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" ( concatStringsSep "\n" (builtins.map (tap: tap.create) allTaps) ); deleteTapsforLansScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" ( concatStringsSep "\n" (builtins.map (tap: tap.delete) allTaps) ); createMacvTapsScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" ( concatStringsSep "\n" (builtins.map (macvtap: macvtap.create) allMacvtaps) ); deleteMacvTapsScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" ( concatStringsSep "\n" (builtins.map (macvtap: macvtap.delete) allMacvtaps) ); hasOsDisk = vmCfg.disks.os.file != null; # Auto-detect Windows from _vmixOsType marker on the disk image isWindows = vmCfg.windows.enable || (hasOsDisk && (vmCfg.disks.os.file._vmixOsType or "linux") == "windows"); # Linux VMs: apply customizeImage with 9p fstab and machine-id setup linuxOsImage = vmixLib.linux.customizeImage vmCfg.disks.os.file { name = vmCfg.name; commands = '' truncate /etc/machine-id run-command systemd-machine-id-setup run-command ssh-keygen -A run ${vmixLib.linux.scriptsNFiles.add-9p-mounts-to-fstab vmCfg.shares} ''; }; # Windows VMs: use disk image as-is (customization done at image build time) storeImage = if !hasOsDisk then null else if isWindows then vmCfg.disks.os.file else linuxOsImage; # When persist = true, QEMU needs a mutable disk outside /nix/store. # The store image is copied to persistPath on first boot. osDiskPath = if !hasOsDisk then null else if vmCfg.disks.os.persist then vmCfg.disks.os.persistPath else toString storeImage; # Script to seed the persistent disk from the store image on first boot seedPersistentDiskScript = pkgs.writeShellScript "${vmCfg.name}-seed-disk-vmix" '' PERSIST_PATH="${vmCfg.disks.os.persistPath}" if [ ! -f "$PERSIST_PATH" ]; then echo "Seeding persistent disk from store image..." mkdir -p "$(dirname "$PERSIST_PATH")" cp --no-preserve=mode "${toString storeImage}" "$PERSIST_PATH" chmod 600 "$PERSIST_PATH" fi ''; persistExecStartPre = lib.optional (hasOsDisk && vmCfg.disks.os.persist) seedPersistentDiskScript; # QEMU expects single-letter boot codes (e.g. c,d,n), while vmix uses readable names. bootOrderQemu = let bootDeviceAliases = { os = "c"; iso = "d"; net = "n"; floppy = "a"; }; in concatStrings (builtins.map (device: bootDeviceAliases.${device}) vmCfg.boot.order); spiceUsbRedirArgs = if vmCfg.spice.enable && vmCfg.spice.usbRedir.enable then concatStringsSep " \\\n " ([ "-device qemu-xhci,id=spice-usb-xhci" ] ++ (concatMap (i: [ "-chardev spicevmc,name=usbredir,id=spice-usbredirchardev${toString i}" "-device usb-redir,chardev=spice-usbredirchardev${toString i},id=spice-usbredirdev${toString i}" ]) (range 1 vmCfg.spice.usbRedir.channels))) else ""; vncArgs = concatStringsSep "," ( [ "${vmCfg.vnc.addr}:${toString (vmCfg.vnc.port - 5900)}" "share=${vmCfg.vnc.sharePolicy}" ] ++ optional (vmCfg.vnc.websocketPort != null) "websocket=${toString vmCfg.vnc.websocketPort}" ++ optional (vmCfg.vnc.passwordFile != null) "password-secret=vnc-pass-${vmCfg.name}" ); qemuStartVMScript = pkgs.writeShellScript "${vmCfg.name}-qemu-vmix" '' ${optionalString vmCfg.vnc.enable '' ${optionalString (vmCfg.vnc.passwordFile != null) '' if [ ! -r ${escapeShellArg vmCfg.vnc.passwordFile} ]; then echo "VNC password file is not readable: ${vmCfg.vnc.passwordFile}" >&2 exit 1 fi if [ ! -s ${escapeShellArg vmCfg.vnc.passwordFile} ]; then echo "VNC password file is empty: ${vmCfg.vnc.passwordFile}" >&2 exit 1 fi ''} ''} ${optionalString vmCfg.spice.enable '' ${optionalString (vmCfg.spice.passwordFile != null) '' if [ ! -r ${escapeShellArg vmCfg.spice.passwordFile} ]; then echo "SPICE password file is not readable: ${vmCfg.spice.passwordFile}" >&2 exit 1 fi if [ ! -s ${escapeShellArg vmCfg.spice.passwordFile} ]; then echo "SPICE password file is empty: ${vmCfg.spice.passwordFile}" >&2 exit 1 fi ''} ''} exec qemu-system-${vmCfg.arch} \ ${if vmCfg.nographic && vmCfg.pci.passthrough != [] then "-display none -vga none" else optionalString vmCfg.nographic "-nographic"} \ ${optionalString (vmCfg.vnc.enable && vmCfg.vnc.passwordFile != null) "-object secret,id=vnc-pass-${vmCfg.name},file=${escapeShellArg vmCfg.vnc.passwordFile}"} \ ${optionalString vmCfg.vnc.enable "-vnc ${vncArgs}"} \ ${optionalString (vmCfg.spice.enable && vmCfg.spice.passwordFile != null) "-object secret,id=spice-pass-${vmCfg.name},file=${escapeShellArg vmCfg.spice.passwordFile}"} \ ${optionalString vmCfg.spice.enable "-spice addr=${vmCfg.spice.addr},port=${toString vmCfg.spice.port}${optionalString (vmCfg.spice.passwordFile == null) ",disable-ticketing=on"}${optionalString (vmCfg.spice.passwordFile != null) ",password-secret=spice-pass-${vmCfg.name}"}"} \ ${optionalString vmCfg.spice.enable "-vga ${vmCfg.spice.displayDevice}"} \ ${optionalString (vmCfg.spice.enable && vmCfg.spice.agent.enable) "-device virtio-serial-pci -chardev spicevmc,id=vdagent,debug=0,name=vdagent -device virtserialport,chardev=vdagent,name=com.redhat.spice.0"} \ ${# Guest agent channel — prevents qemu-ga from spinning when virtio-win guest tools are installed optionalString isWindows "${optionalString (!vmCfg.spice.enable || !vmCfg.spice.agent.enable) "-device virtio-serial-pci"} -chardev socket,path=/tmp/qga-${vmCfg.name}.sock,server=on,wait=off,id=qga0 -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0"} \ ${spiceUsbRedirArgs} \ ${optionalString vmCfg.kvm "-accel kvm"} \ -name ${vmCfg.name} \ -m ${toString vmCfg.mem.size} \ ${optionalString vmCfg.mem.balloon "-device virtio-balloon-pci"} \ -smp cores=${toString vmCfg.cpu.cores} \ -cpu ${vmCfg.cpu.model}${optionalString vmCfg.cpu.hideVirtualized ",kvm=off,hv_vendor_id=1234567890ab,-hypervisor"} \ -machine type=${vmCfg.pc.type}${optionalString vmCfg.cpu.hideVirtualized ",kernel_irqchip=on"} \ ${optionalString vmCfg.bios.efi "-bios ${pkgs.OVMF.fd}/FV/OVMF.fd"} \ ${optionalString vmCfg.bios.tpm "-chardev socket,id=chrtpm,path=/tmp/mytpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"} \ ${# Windows: localtime RTC, USB tablet for mouse, disable S3/S4 sleep optionalString isWindows '' -rtc base=localtime,clock=host \ -device qemu-xhci -device usb-tablet \ -global ICH9-LMB.disable_s3=1 -global ICH9-LMB.disable_s4=1 \ ''} \ ${optionalString hasOsDisk "-drive file=${osDiskPath},format=qcow2,if=virtio${optionalString (vmCfg.disks.os.persist == false) ",snapshot=on"}"} \ ${optionalString (vmCfg.disks.iso.file != null) "-drive file=${toString vmCfg.disks.iso.file},media=cdrom,readonly=on"} \ ${concatMapStrings (diskCfg: '' -drive file=${toString diskCfg.file},format=${diskCfg.format},if=${vmCfg.disks.bus} \ '') (attrValues vmCfg.disks.add)} \ ${concatStrings (mapAttrsToList (shareName: shareCfg: '' -virtfs local,path=${toString shareCfg.source},security_model=passthrough,mount_tag=${shareName} \ '') vmCfg.shares)} \ ${optionalString cfg.networks.user.enable " -netdev user,id=user \ -device virtio-net-pci,netdev=user \ "} \ ${concatMapStrings (tapCfg: '' -device virtio-net-pci,netdev=lan-${tapCfg.name},mac=${tapCfg.mac} \ -netdev tap,id=lan-${tapCfg.name},ifname=${tapCfg.iface},script=no,downscript=no \ '') allTaps} \ ${concatStrings (imap1 (i: macvtap: '' -device virtio-net-pci,netdev=macvtap-${macvtap.name},mac=$(ip l show ${macvtap.iface} | awk '/link\/ether/{print $2}') \ -netdev tap,id=macvtap-${macvtap.name},fd=${toString (i+2)} ${toString (i+2)}<>/dev/tap$(ip l show ${macvtap.iface} | awk -F':' '/${macvtap.iface}/{print $1}') \ '') allMacvtaps)} \ ${concatStrings (imap1 (i: pciAddr: '' -device pcie-root-port,id=pci-passthrough${toString i},chassis=${toString i},slot=${toString i} \ -device vfio-pci,host=${pciAddr},bus=pci-passthrough${toString i}${optionalString (i == 1) ",x-vga=on${optionalString (vmCfg.pci.romFile != null) ",romfile=${vmCfg.pci.romFile}"}"} \ '') vmCfg.pci.passthrough)} \ ${concatMapStrings (usbDev: '' -device usb-host,vendorid=0x${usbDev.vendorId},productid=0x${usbDev.productId} \ '') vmCfg.usb.hostDevices} \ ${optionalString (vmCfg.boot.menu == true) "-boot menu=on"} \ ${optionalString (length vmCfg.boot.order > 0) "-boot order=${bootOrderQemu}"} \ ''; in lib.optionalAttrs (cfg.enable) { "vm.vmix@${vmCfg.name}" = rec { bindsTo = [ "net.vmix@${spaceName}.target" "macvtaps.vm.vmix@${vmCfg.name}.service" ]; unitConfig.JoinsNamespaceOf = "ns.net.vmix@${spaceName}.service"; after = bindsTo; path = with pkgs; [ iproute2 qemu gawk coreutils ]; serviceConfig = { ExecStartPre = persistExecStartPre ++ [ createTapsforLansScript ]; ExecStart = qemuStartVMScript; ExecStopPost = deleteTapsforLansScript; PrivateTmp = true; ProtectSystem = true; ProtectHome = true; PrivateNetwork = true; } // lib.optionalAttrs (vmCfg.pci.passthrough != []) { # VFIO passthrough needs raw device access — relax sandboxing ProtectSystem = lib.mkForce false; SupplementaryGroups = [ "kvm" ]; }; wantedBy = lib.mkIf vmCfg.autostart [ "multi-user.target" ]; }; "macvtaps.vm.vmix@${vmCfg.name}" = rec { bindsTo = [ "net.vmix@${spaceName}.target" ]; after = bindsTo; partOf = [ "vm.vmix@${vmCfg.name}.service" ]; path = with pkgs; [ iproute2 ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = createMacvTapsScript; ExecStop = deleteMacvTapsScript; }; }; }; vmServices = concatMapAttrs (spaceName: namespaceCfg: (concatMapAttrs (mkServices4aVMInNamespace spaceName) namespaceCfg.vms)) vmixCfg.namespaces; in { config.systemd.services = vmServices; }