Git Sagar
4226f6fdfd
When spice.vgamem is set (e.g. 64), uses -device qxl-vga,vgamem_mb=N instead of -vga qxl (which defaults to 16MB). When null (default), uses -vga qxl for backwards compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
272 lines
14 KiB
Nix
272 lines
14 KiB
Nix
{ config, pkgs, lib, vmixLib, ... }:
|
|
with lib;
|
|
with vmixLib.network;
|
|
let
|
|
vmixCfg = config.vmix;
|
|
mkShortIfaceName = prefix: seed: "${prefix}-${builtins.substring 0 8 (builtins.hashString "sha256" seed)}";
|
|
|
|
mkServices4aVMInNamespace = spaceName: vmName: cfg:
|
|
let
|
|
vmCfg = cfg // { name = vmName; };
|
|
netCfg = vmCfg.networks;
|
|
|
|
mkTap4aLan = lanName: tapCfg:
|
|
let
|
|
tapInterfaceName = mkShortIfaceName "vt" "${spaceName}-${vmCfg.name}-${lanName}";
|
|
lanInterfaceName = "brx-${lanName}";
|
|
in
|
|
{
|
|
name = lanName;
|
|
iface = tapInterfaceName;
|
|
mac = tapCfg.mac;
|
|
create = ''
|
|
ip tuntap add dev ${tapInterfaceName} mode tap
|
|
ip link set dev ${tapInterfaceName} up
|
|
ip link set dev ${tapInterfaceName} master ${lanInterfaceName}
|
|
'' + lib.optionalString (tapCfg.ip != null) ''
|
|
# Make the static ip somehow part of the script so nixOs thinks the service has changed when the IP changes, which will trigger a VM restart.
|
|
# So whenever IP changes, VM will restart automatically
|
|
# The IP is actually bein assigned to VM by dnsmasq, when VM requests it via DHCP
|
|
# Static IP - ${tapCfg.ip}
|
|
'';
|
|
delete = ''
|
|
ip link del ${tapInterfaceName}
|
|
'';
|
|
};
|
|
|
|
mkMacvtap = macvtapName: macvtapVmCfg:
|
|
let
|
|
macvtapNetworkCfg = config.vmix.namespaces.${spaceName}.networks.macvtaps.${macvtapName};
|
|
macvtapInterfaceName = mkShortIfaceName "mt" "${spaceName}-${vmCfg.name}-${macvtapNetworkCfg.uplink.iface}-${macvtapName}";
|
|
uplinkNamespaceArg = lib.optionalString (macvtapNetworkCfg.uplink.namespace != null) "-n ${macvtapNetworkCfg.uplink.namespace}";
|
|
in
|
|
{
|
|
name = macvtapName;
|
|
iface = macvtapInterfaceName;
|
|
mac = macvtapVmCfg.mac;
|
|
|
|
create = ''
|
|
ip ${uplinkNamespaceArg} link add link ${macvtapNetworkCfg.uplink.iface} name ${macvtapInterfaceName} type macvtap mode bridge
|
|
${lib.optionalString (macvtapVmCfg.mac != null) "ip ${uplinkNamespaceArg} link set dev ${macvtapInterfaceName} address ${macvtapVmCfg.mac}"}
|
|
ip ${uplinkNamespaceArg} link set ${macvtapInterfaceName} netns ${spaceName}.vmix
|
|
ip -n ${spaceName}.vmix link set dev ${macvtapInterfaceName} up
|
|
'';
|
|
delete = ''
|
|
ip -n ${spaceName}.vmix link del ${macvtapInterfaceName}
|
|
'';
|
|
};
|
|
|
|
allTaps = (mapAttrsToList mkTap4aLan netCfg.lans);
|
|
allMacvtaps = (mapAttrsToList mkMacvtap netCfg.macvtaps);
|
|
|
|
createTapsforLansScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" (
|
|
concatStringsSep "\n" (builtins.map (tap: tap.create) allTaps)
|
|
);
|
|
|
|
deleteTapsforLansScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" (
|
|
concatStringsSep "\n" (builtins.map (tap: tap.delete) allTaps)
|
|
);
|
|
|
|
createMacvTapsScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" (
|
|
concatStringsSep "\n" (builtins.map (macvtap: macvtap.create) allMacvtaps)
|
|
);
|
|
|
|
deleteMacvTapsScript = pkgs.writeShellScript "${vmCfg.name}-taps-vmix" (
|
|
concatStringsSep "\n" (builtins.map (macvtap: macvtap.delete) allMacvtaps)
|
|
);
|
|
|
|
hasOsDisk = vmCfg.disks.os.file != null;
|
|
|
|
# Auto-detect Windows from _vmixOsType marker on the disk image
|
|
isWindows = vmCfg.windows.enable || (hasOsDisk && (vmCfg.disks.os.file._vmixOsType or "linux") == "windows");
|
|
|
|
# Linux VMs: apply customizeImage with 9p fstab and machine-id setup
|
|
linuxOsImage = vmixLib.linux.customizeImage vmCfg.disks.os.file {
|
|
name = vmCfg.name;
|
|
commands = ''
|
|
truncate /etc/machine-id
|
|
run-command systemd-machine-id-setup
|
|
run-command ssh-keygen -A
|
|
run ${vmixLib.linux.scriptsNFiles.add-9p-mounts-to-fstab vmCfg.shares}
|
|
'';
|
|
};
|
|
|
|
# Windows VMs: use disk image as-is (customization done at image build time)
|
|
storeImage = if !hasOsDisk then null
|
|
else if isWindows then vmCfg.disks.os.file
|
|
else linuxOsImage;
|
|
|
|
# When persist = true, QEMU needs a mutable disk outside /nix/store.
|
|
# The store image is copied to persistPath on first boot.
|
|
osDiskPath = if !hasOsDisk then null
|
|
else if vmCfg.disks.os.persist then vmCfg.disks.os.persistPath
|
|
else toString storeImage;
|
|
|
|
# Script to seed the persistent disk from the store image on first boot
|
|
seedPersistentDiskScript = pkgs.writeShellScript "${vmCfg.name}-seed-disk-vmix" ''
|
|
PERSIST_PATH="${vmCfg.disks.os.persistPath}"
|
|
if [ ! -f "$PERSIST_PATH" ]; then
|
|
echo "Seeding persistent disk from store image..."
|
|
mkdir -p "$(dirname "$PERSIST_PATH")"
|
|
cp --no-preserve=mode "${toString storeImage}" "$PERSIST_PATH"
|
|
chmod 600 "$PERSIST_PATH"
|
|
fi
|
|
'';
|
|
|
|
persistExecStartPre = lib.optional (hasOsDisk && vmCfg.disks.os.persist) seedPersistentDiskScript;
|
|
|
|
# QEMU expects single-letter boot codes (e.g. c,d,n), while vmix uses readable names.
|
|
bootOrderQemu =
|
|
let
|
|
bootDeviceAliases = {
|
|
os = "c";
|
|
iso = "d";
|
|
net = "n";
|
|
floppy = "a";
|
|
};
|
|
in
|
|
concatStrings (builtins.map (device: bootDeviceAliases.${device}) vmCfg.boot.order);
|
|
|
|
spiceUsbRedirArgs =
|
|
if vmCfg.spice.enable && vmCfg.spice.usbRedir.enable then
|
|
concatStringsSep " \\\n " ([
|
|
"-device qemu-xhci,id=spice-usb-xhci"
|
|
] ++ (concatMap (i: [
|
|
"-chardev spicevmc,name=usbredir,id=spice-usbredirchardev${toString i}"
|
|
"-device usb-redir,chardev=spice-usbredirchardev${toString i},id=spice-usbredirdev${toString i}"
|
|
]) (range 1 vmCfg.spice.usbRedir.channels)))
|
|
else
|
|
"";
|
|
|
|
vncArgs = concatStringsSep "," (
|
|
[
|
|
"${vmCfg.vnc.addr}:${toString (vmCfg.vnc.port - 5900)}"
|
|
"share=${vmCfg.vnc.sharePolicy}"
|
|
]
|
|
++ optional (vmCfg.vnc.websocketPort != null) "websocket=${toString vmCfg.vnc.websocketPort}"
|
|
++ optional (vmCfg.vnc.passwordFile != null) "password-secret=vnc-pass-${vmCfg.name}"
|
|
);
|
|
|
|
qemuStartVMScript = pkgs.writeShellScript "${vmCfg.name}-qemu-vmix" ''
|
|
${optionalString vmCfg.vnc.enable ''
|
|
${optionalString (vmCfg.vnc.passwordFile != null) ''
|
|
if [ ! -r ${escapeShellArg vmCfg.vnc.passwordFile} ]; then
|
|
echo "VNC password file is not readable: ${vmCfg.vnc.passwordFile}" >&2
|
|
exit 1
|
|
fi
|
|
if [ ! -s ${escapeShellArg vmCfg.vnc.passwordFile} ]; then
|
|
echo "VNC password file is empty: ${vmCfg.vnc.passwordFile}" >&2
|
|
exit 1
|
|
fi
|
|
''}
|
|
''}
|
|
${optionalString vmCfg.spice.enable ''
|
|
${optionalString (vmCfg.spice.passwordFile != null) ''
|
|
if [ ! -r ${escapeShellArg vmCfg.spice.passwordFile} ]; then
|
|
echo "SPICE password file is not readable: ${vmCfg.spice.passwordFile}" >&2
|
|
exit 1
|
|
fi
|
|
if [ ! -s ${escapeShellArg vmCfg.spice.passwordFile} ]; then
|
|
echo "SPICE password file is empty: ${vmCfg.spice.passwordFile}" >&2
|
|
exit 1
|
|
fi
|
|
''}
|
|
''}
|
|
exec qemu-system-${vmCfg.arch} \
|
|
${if vmCfg.nographic && vmCfg.pci.passthrough != [] then "-display none -vga none" else optionalString vmCfg.nographic "-nographic"} \
|
|
${optionalString (vmCfg.vnc.enable && vmCfg.vnc.passwordFile != null) "-object secret,id=vnc-pass-${vmCfg.name},file=${escapeShellArg vmCfg.vnc.passwordFile}"} \
|
|
${optionalString vmCfg.vnc.enable "-vnc ${vncArgs}"} \
|
|
${optionalString (vmCfg.spice.enable && vmCfg.spice.passwordFile != null) "-object secret,id=spice-pass-${vmCfg.name},file=${escapeShellArg vmCfg.spice.passwordFile}"} \
|
|
${optionalString vmCfg.spice.enable "-spice addr=${vmCfg.spice.addr},port=${toString vmCfg.spice.port}${optionalString (vmCfg.spice.passwordFile == null) ",disable-ticketing=on"}${optionalString (vmCfg.spice.passwordFile != null) ",password-secret=spice-pass-${vmCfg.name}"}"} \
|
|
${optionalString vmCfg.spice.enable (if vmCfg.spice.displayDevice == "qxl" && vmCfg.spice.vgamem != null then "-vga none -device qxl-vga,vgamem_mb=${toString vmCfg.spice.vgamem}" else "-vga ${vmCfg.spice.displayDevice}")} \
|
|
${optionalString (vmCfg.spice.enable && vmCfg.spice.agent.enable) "-device virtio-serial-pci -chardev spicevmc,id=vdagent,debug=0,name=vdagent -device virtserialport,chardev=vdagent,name=com.redhat.spice.0"} \
|
|
${# Guest agent channel — prevents qemu-ga from spinning when virtio-win guest tools are installed
|
|
optionalString isWindows "${optionalString (!vmCfg.spice.enable || !vmCfg.spice.agent.enable) "-device virtio-serial-pci"} -chardev socket,path=/tmp/qga-${vmCfg.name}.sock,server=on,wait=off,id=qga0 -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0"} \
|
|
${spiceUsbRedirArgs} \
|
|
${optionalString vmCfg.kvm "-accel kvm"} \
|
|
-name ${vmCfg.name} \
|
|
-m ${toString vmCfg.mem.size} \
|
|
${optionalString vmCfg.mem.balloon "-device virtio-balloon-pci"} \
|
|
-smp cores=${toString vmCfg.cpu.cores} \
|
|
-cpu ${vmCfg.cpu.model}${optionalString vmCfg.cpu.hideVirtualized ",kvm=off,hv_vendor_id=1234567890ab,-hypervisor"} \
|
|
-machine type=${vmCfg.pc.type}${optionalString vmCfg.cpu.hideVirtualized ",kernel_irqchip=on"} \
|
|
${optionalString vmCfg.bios.efi "-bios ${pkgs.OVMF.fd}/FV/OVMF.fd"} \
|
|
${optionalString vmCfg.bios.tpm "-chardev socket,id=chrtpm,path=/tmp/mytpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"} \
|
|
${# Windows: localtime RTC, USB tablet for mouse, disable S3/S4 sleep
|
|
optionalString isWindows ''
|
|
-rtc base=localtime,clock=host \
|
|
-device qemu-xhci -device usb-tablet \
|
|
-global ICH9-LMB.disable_s3=1 -global ICH9-LMB.disable_s4=1 \
|
|
''} \
|
|
${optionalString hasOsDisk "-drive file=${osDiskPath},format=qcow2,if=virtio${optionalString (vmCfg.disks.os.persist == false) ",snapshot=on"}"} \
|
|
${optionalString (vmCfg.disks.iso.file != null) "-drive file=${toString vmCfg.disks.iso.file},media=cdrom,readonly=on"} \
|
|
${concatMapStrings (diskCfg: ''
|
|
-drive file=${toString diskCfg.file},format=${diskCfg.format},if=${vmCfg.disks.bus} \
|
|
'') (attrValues vmCfg.disks.add)} \
|
|
${concatStrings (mapAttrsToList (shareName: shareCfg: ''
|
|
-virtfs local,path=${toString shareCfg.source},security_model=passthrough,mount_tag=${shareName} \
|
|
'') vmCfg.shares)} \
|
|
${optionalString cfg.networks.user.enable "
|
|
-netdev user,id=user \
|
|
-device virtio-net-pci,netdev=user \
|
|
"} \
|
|
${concatMapStrings (tapCfg: ''
|
|
-device virtio-net-pci,netdev=lan-${tapCfg.name},mac=${tapCfg.mac} \
|
|
-netdev tap,id=lan-${tapCfg.name},ifname=${tapCfg.iface},script=no,downscript=no \
|
|
'') allTaps} \
|
|
${concatStrings (imap1 (i: macvtap: ''
|
|
-device virtio-net-pci,netdev=macvtap-${macvtap.name},mac=$(ip l show ${macvtap.iface} | awk '/link\/ether/{print $2}') \
|
|
-netdev tap,id=macvtap-${macvtap.name},fd=${toString (i+2)} ${toString (i+2)}<>/dev/tap$(ip l show ${macvtap.iface} | awk -F':' '/${macvtap.iface}/{print $1}') \
|
|
'') allMacvtaps)} \
|
|
${concatStrings (imap1 (i: pciAddr: ''
|
|
-device pcie-root-port,id=pci-passthrough${toString i},chassis=${toString i},slot=${toString i} \
|
|
-device vfio-pci,host=${pciAddr},bus=pci-passthrough${toString i}${optionalString (i == 1) ",x-vga=on${optionalString (vmCfg.pci.romFile != null) ",romfile=${vmCfg.pci.romFile}"}"} \
|
|
'') vmCfg.pci.passthrough)} \
|
|
${concatMapStrings (usbDev: ''
|
|
-device usb-host,vendorid=0x${usbDev.vendorId},productid=0x${usbDev.productId} \
|
|
'') vmCfg.usb.hostDevices} \
|
|
${optionalString (vmCfg.boot.menu == true) "-boot menu=on"} \
|
|
${optionalString (length vmCfg.boot.order > 0) "-boot order=${bootOrderQemu}"} \
|
|
'';
|
|
in
|
|
lib.optionalAttrs (cfg.enable) {
|
|
"vm.vmix@${vmCfg.name}" = rec {
|
|
bindsTo = [ "net.vmix@${spaceName}.target" ] ++ lib.optional (allMacvtaps != []) "macvtaps.vm.vmix@${vmCfg.name}.service";
|
|
unitConfig.JoinsNamespaceOf = "ns.net.vmix@${spaceName}.service";
|
|
after = bindsTo;
|
|
path = with pkgs; [ iproute2 qemu gawk coreutils ];
|
|
serviceConfig = {
|
|
ExecStartPre = persistExecStartPre ++ [ createTapsforLansScript ];
|
|
ExecStart = qemuStartVMScript;
|
|
ExecStopPost = deleteTapsforLansScript;
|
|
PrivateTmp = true;
|
|
ProtectSystem = true;
|
|
ProtectHome = true;
|
|
PrivateNetwork = true;
|
|
} // lib.optionalAttrs (vmCfg.pci.passthrough != []) {
|
|
# VFIO passthrough needs raw device access — relax sandboxing
|
|
ProtectSystem = lib.mkForce false;
|
|
SupplementaryGroups = [ "kvm" ];
|
|
};
|
|
wantedBy = lib.mkIf vmCfg.autostart [ "multi-user.target" ];
|
|
};
|
|
} // lib.optionalAttrs (allMacvtaps != []) {
|
|
"macvtaps.vm.vmix@${vmCfg.name}" = rec {
|
|
bindsTo = [ "net.vmix@${spaceName}.target" ];
|
|
after = bindsTo;
|
|
partOf = [ "vm.vmix@${vmCfg.name}.service" ];
|
|
path = with pkgs; [ iproute2 ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = createMacvTapsScript;
|
|
ExecStop = deleteMacvTapsScript;
|
|
};
|
|
};
|
|
};
|
|
|
|
vmServices = concatMapAttrs (spaceName: namespaceCfg: (concatMapAttrs (mkServices4aVMInNamespace spaceName) namespaceCfg.vms)) vmixCfg.namespaces;
|
|
in
|
|
{
|
|
config.systemd.services = vmServices;
|
|
}
|