cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/virtualbox-host: expose option to run with KVM

Browse source
This commit is contained in:
Julian Stecklina 2024-02-13 15:53:54 +01:00
parent 7dd125e9a0
commit a9822fa200
1 changed files with 44 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
nixos/modules/virtualisation/virtualbox-host.nix
View file

@ -6,7 +6,7 @@ let
cfg = config.virtualisation.virtualbox.host;
virtualbox = cfg.package.override {
inherit (cfg) enableHardening headless enableWebService;
inherit (cfg) enableHardening headless enableWebService enableKvm;
extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null;
};
@ -81,13 +81,24 @@ in
Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers.
'';
};
enableKvm = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Enable KVM support for VirtualBox. This increases compatibility with Linux kernel versions, because the VirtualBox kernel modules
are not required.
This option is incompatible with `enableHardening` and `addNetworkInterface`.
Note: This is experimental. Please check https://github.com/cyberus-technology/virtualbox-kvm/issues.
'';
};
};
config = mkIf cfg.enable (mkMerge [{
warnings = mkIf (pkgs.config.virtualbox.enableExtensionPack or false)
["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"];
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
boot.extraModulePackages = [ kernelModules ];
environment.systemPackages = [ virtualbox ];
security.wrappers = let
@ -114,17 +125,43 @@ in
services.udev.extraRules =
''
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
} (mkIf cfg.enableKvm {
assertions = [
{
assertion = !cfg.addNetworkInterface;
message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInferface.";
}
{
assertion = !cfg.enableHardening;
message = "VirtualBox KVM is not compatible with hardening: Please turn off virtualisation.virtualbox.host.enableHardening.";
}
];
warnings = [
''
KVM support in VirtualBox is experimental. Not all security features are available yet.
See: https://github.com/cyberus-technology/virtualbox-kvm/issues/12
''
];
}) (mkIf (!cfg.enableKvm) {
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
boot.extraModulePackages = [ kernelModules ];
services.udev.extraRules =
''
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
'';
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
} (mkIf cfg.addNetworkInterface {
}) (mkIf cfg.addNetworkInterface {
systemd.services.vboxnet0 =
{ description = "VirtualBox vboxnet0 Interface";
requires = [ "dev-vboxnetctl.device" ];