diff options
| author | Alyssa Ross <hi@alyssa.is> | 2024-03-22 16:41:59 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2024-03-22 16:41:59 +0100 |
| commit | 46a88117a05c3469af5d99433af140c3de8ca088 (patch) | |
| tree | d7f0557756d8f07a3081b3498c05ddc5a8ad429d /nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix | |
| parent | e97457545cea0b2ca421da257c83d8f1ef451d85 (diff) | |
| parent | a343533bccc62400e8a9560423486a3b6c11a23b (diff) | |
| download | nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar.gz nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar.bz2 nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar.lz nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar.xz nixlib-46a88117a05c3469af5d99433af140c3de8ca088.tar.zst nixlib-46a88117a05c3469af5d99433af140c3de8ca088.zip | |
Merge commit 'a343533bccc62400e8a9560423486a3b6c11a23b'
Diffstat (limited to 'nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix | 51 |
1 files changed, 44 insertions, 7 deletions
diff --git a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix index 50a8f8189590..0ecf7f490cf6 100644 --- a/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix @@ -6,7 +6,7 @@ let cfg = config.virtualisation.virtualbox.host; virtualbox = cfg.package.override { - inherit (cfg) enableHardening headless enableWebService; + inherit (cfg) enableHardening headless enableWebService enableKvm; extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null; }; @@ -81,13 +81,24 @@ in Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers. ''; }; + + enableKvm = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Enable KVM support for VirtualBox. This increases compatibility with Linux kernel versions, because the VirtualBox kernel modules + are not required. + + This option is incompatible with `enableHardening` and `addNetworkInterface`. + + Note: This is experimental. Please check https://github.com/cyberus-technology/virtualbox-kvm/issues. + ''; + }; }; config = mkIf cfg.enable (mkMerge [{ warnings = mkIf (pkgs.config.virtualbox.enableExtensionPack or false) ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"]; - boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; - boot.extraModulePackages = [ kernelModules ]; environment.systemPackages = [ virtualbox ]; security.wrappers = let @@ -114,17 +125,43 @@ in services.udev.extraRules = '' - KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" - KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" - KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" ''; + } (mkIf cfg.enableKvm { + assertions = [ + { + assertion = !cfg.addNetworkInterface; + message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInferface."; + } + + { + assertion = !cfg.enableHardening; + message = "VirtualBox KVM is not compatible with hardening: Please turn off virtualisation.virtualbox.host.enableHardening."; + } + ]; + + warnings = [ + '' + KVM support in VirtualBox is experimental. Not all security features are available yet. + See: https://github.com/cyberus-technology/virtualbox-kvm/issues/12 + '' + ]; + }) (mkIf (!cfg.enableKvm) { + boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; + boot.extraModulePackages = [ kernelModules ]; + + services.udev.extraRules = + '' + KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" + KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" + KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" + ''; # Since we lack the right setuid/setcap binaries, set up a host-only network by default. - } (mkIf cfg.addNetworkInterface { + }) (mkIf cfg.addNetworkInterface { systemd.services.vboxnet0 = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; |