-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
qemu-vm.nix
1284 lines (1134 loc) · 46.9 KB
/
qemu-vm.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# This module creates a virtual machine from the NixOS configuration.
# Building the `config.system.build.vm' attribute gives you a command
# that starts a KVM/QEMU VM running the NixOS configuration defined in
# `config'. By default, the Nix store is shared read-only with the
# host, which makes (re)building VMs very efficient.
{ config, lib, pkgs, options, ... }:
with lib;
let
qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; };
cfg = config.virtualisation;
opt = options.virtualisation;
qemu = cfg.qemu.package;
hostPkgs = cfg.host.pkgs;
consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles;
driveOpts = { ... }: {
options = {
file = mkOption {
type = types.str;
description = "The file image used for this drive.";
};
driveExtraOpts = mkOption {
type = types.attrsOf types.str;
default = {};
description = "Extra options passed to drive flag.";
};
deviceExtraOpts = mkOption {
type = types.attrsOf types.str;
default = {};
description = "Extra options passed to device flag.";
};
name = mkOption {
type = types.nullOr types.str;
default = null;
description = "A name for the drive. Must be unique in the drives list. Not passed to qemu.";
};
};
};
selectPartitionTableLayout = { useEFIBoot, useDefaultFilesystems }:
if useDefaultFilesystems then
if useEFIBoot then "efi" else "legacy"
else "none";
driveCmdline = idx: { file, driveExtraOpts, deviceExtraOpts, ... }:
let
drvId = "drive${toString idx}";
mkKeyValue = generators.mkKeyValueDefault {} "=";
mkOpts = opts: concatStringsSep "," (mapAttrsToList mkKeyValue opts);
driveOpts = mkOpts (driveExtraOpts // {
index = idx;
id = drvId;
"if" = "none";
inherit file;
});
deviceOpts = mkOpts (deviceExtraOpts // {
drive = drvId;
});
device =
if cfg.qemu.diskInterface == "scsi" then
"-device lsi53c895a -device scsi-hd,${deviceOpts}"
else
"-device virtio-blk-pci,${deviceOpts}";
in
"-drive ${driveOpts} ${device}";
drivesCmdLine = drives: concatStringsSep "\\\n " (imap1 driveCmdline drives);
# Shell script to start the VM.
startVM =
''
#! ${hostPkgs.runtimeShell}
export PATH=${makeBinPath [ hostPkgs.coreutils ]}''${PATH:+:}$PATH
set -e
# Create an empty ext4 filesystem image. A filesystem image does not
# contain a partition table but just a filesystem.
createEmptyFilesystemImage() {
local name=$1
local size=$2
local temp=$(mktemp)
${qemu}/bin/qemu-img create -f raw "$temp" "$size"
${hostPkgs.e2fsprogs}/bin/mkfs.ext4 -L ${rootFilesystemLabel} "$temp"
${qemu}/bin/qemu-img convert -f raw -O qcow2 "$temp" "$name"
rm "$temp"
}
NIX_DISK_IMAGE=$(readlink -f "''${NIX_DISK_IMAGE:-${toString config.virtualisation.diskImage}}") || test -z "$NIX_DISK_IMAGE"
if test -n "$NIX_DISK_IMAGE" && ! test -e "$NIX_DISK_IMAGE"; then
echo "Disk image do not exist, creating the virtualisation disk image..."
${if (cfg.useBootLoader && cfg.useDefaultFilesystems) then ''
# Create a writable qcow2 image using the systemImage as a backing
# image.
# CoW prevent size to be attributed to an image.
# FIXME: raise this issue to upstream.
${qemu}/bin/qemu-img create \
-f qcow2 \
-b ${systemImage}/nixos.qcow2 \
-F qcow2 \
"$NIX_DISK_IMAGE"
'' else if cfg.useDefaultFilesystems then ''
createEmptyFilesystemImage "$NIX_DISK_IMAGE" "${toString cfg.diskSize}M"
'' else ''
# Create an empty disk image without a filesystem.
${qemu}/bin/qemu-img create -f qcow2 "$NIX_DISK_IMAGE" "${toString cfg.diskSize}M"
''
}
echo "Virtualisation disk image created."
fi
# Create a directory for storing temporary data of the running VM.
if [ -z "$TMPDIR" ] || [ -z "$USE_TMPDIR" ]; then
TMPDIR=$(mktemp -d nix-vm.XXXXXXXXXX --tmpdir)
fi
${lib.optionalString (cfg.useNixStoreImage) ''
echo "Creating Nix store image..."
${hostPkgs.gnutar}/bin/tar --create \
--absolute-names \
--verbatim-files-from \
--transform 'flags=rSh;s|/nix/store/||' \
--transform 'flags=rSh;s|~nix~case~hack~[[:digit:]]\+||g' \
--files-from ${hostPkgs.closureInfo { rootPaths = [ config.system.build.toplevel regInfo ]; }}/store-paths \
| ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
--quiet \
--force-uid=0 \
--force-gid=0 \
-L ${nixStoreFilesystemLabel} \
-U eb176051-bd15-49b7-9e6b-462e0b467019 \
-T 0 \
--tar=f \
"$TMPDIR"/store.img
echo "Created Nix store image."
''
}
# Create a directory for exchanging data with the VM.
mkdir -p "$TMPDIR/xchg"
${lib.optionalString cfg.useHostCerts
''
mkdir -p "$TMPDIR/certs"
if [ -e "$NIX_SSL_CERT_FILE" ]; then
cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt
else
echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled.
fi
''}
${lib.optionalString cfg.useEFIBoot
''
# Expose EFI variables, it's useful even when we are not using a bootloader (!).
# We might be interested in having EFI variable storage present even if we aren't booting via UEFI, hence
# no guard against `useBootLoader`. Examples:
# - testing PXE boot or other EFI applications
# - directbooting LinuxBoot, which `kexec()s` into a UEFI environment that can boot e.g. Windows
NIX_EFI_VARS=$(readlink -f "''${NIX_EFI_VARS:-${config.system.name}-efi-vars.fd}")
# VM needs writable EFI vars
if ! test -e "$NIX_EFI_VARS"; then
${if cfg.efi.keepVariables then
# We still need the EFI var from the make-disk-image derivation
# because our "switch-to-configuration" process might
# write into it and we want to keep this data.
''cp ${systemImage}/efi-vars.fd "$NIX_EFI_VARS"''
else
''cp ${cfg.efi.variables} "$NIX_EFI_VARS"''
}
chmod 0644 "$NIX_EFI_VARS"
fi
''}
${lib.optionalString cfg.tpm.enable ''
NIX_SWTPM_DIR=$(readlink -f "''${NIX_SWTPM_DIR:-${config.system.name}-swtpm}")
mkdir -p "$NIX_SWTPM_DIR"
${lib.getExe cfg.tpm.package} \
socket \
--tpmstate dir="$NIX_SWTPM_DIR" \
--ctrl type=unixio,path="$NIX_SWTPM_DIR"/socket,terminate \
--pid file="$NIX_SWTPM_DIR"/pid --daemon \
--tpm2 \
--log file="$NIX_SWTPM_DIR"/stdout,level=6
# Enable `fdflags` builtin in Bash
# We will need it to perform surgical modification of the file descriptor
# passed in the coprocess to remove `FD_CLOEXEC`, i.e. close the file descriptor
# on exec.
# If let alone, it will trigger the coprocess to read EOF when QEMU is `exec`
# at the end of this script. To work around that, we will just clear
# the `FD_CLOEXEC` bits as a first step.
enable -f ${hostPkgs.bash}/lib/bash/fdflags fdflags
# leave a dangling subprocess because the swtpm ctrl socket has
# "terminate" when the last connection disconnects, it stops swtpm.
# When qemu stops, or if the main shell process ends, the coproc will
# get signaled by virtue of the pipe between main and coproc ending.
# Which in turns triggers a socat connect-disconnect to swtpm which
# will stop it.
coproc waitingswtpm {
read || :
echo "" | ${lib.getExe hostPkgs.socat} STDIO UNIX-CONNECT:"$NIX_SWTPM_DIR"/socket
}
# Clear `FD_CLOEXEC` on the coprocess' file descriptor stdin.
fdflags -s-cloexec ''${waitingswtpm[1]}
''}
cd "$TMPDIR"
${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"}
${flip concatMapStrings cfg.emptyDiskImages (size: ''
if ! test -e "empty$idx.qcow2"; then
${qemu}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M"
fi
idx=$((idx + 1))
'')}
# Start QEMU.
exec ${qemu-common.qemuBinary qemu} \
-name ${config.system.name} \
-m ${toString config.virtualisation.memorySize} \
-smp ${toString config.virtualisation.cores} \
-device virtio-rng-pci \
${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \
${concatStringsSep " \\\n "
(mapAttrsToList
(tag: share: "-virtfs local,path=${share.source},security_model=${share.securityModel},mount_tag=${tag}")
config.virtualisation.sharedDirectories)} \
${drivesCmdLine config.virtualisation.qemu.drives} \
${concatStringsSep " \\\n " config.virtualisation.qemu.options} \
$QEMU_OPTS \
"$@"
'';
regInfo = hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
# Use well-defined and persistent filesystem labels to identify block devices.
rootFilesystemLabel = "nixos";
espFilesystemLabel = "ESP"; # Hard-coded by make-disk-image.nix
nixStoreFilesystemLabel = "nix-store";
# The root drive is a raw disk which does not necessarily contain a
# filesystem or partition table. It thus cannot be identified via the typical
# persistent naming schemes (e.g. /dev/disk/by-{label, uuid, partlabel,
# partuuid}. Instead, supply a well-defined and persistent serial attribute
# via QEMU. Inside the running system, the disk can then be identified via
# the /dev/disk/by-id scheme.
rootDriveSerialAttr = "root";
# System image is akin to a complete NixOS install with
# a boot partition and root partition.
systemImage = import ../../lib/make-disk-image.nix {
inherit pkgs config lib;
additionalPaths = [ regInfo ];
format = "qcow2";
onlyNixStore = false;
label = rootFilesystemLabel;
partitionTableType = selectPartitionTableLayout { inherit (cfg) useDefaultFilesystems useEFIBoot; };
installBootLoader = cfg.installBootLoader;
touchEFIVars = cfg.useEFIBoot;
diskSize = "auto";
additionalSpace = "0M";
copyChannel = false;
OVMF = cfg.efi.OVMF;
};
in
{
imports = [
../profiles/qemu-guest.nix
(mkRenamedOptionModule [ "virtualisation" "pathsInNixDB" ] [ "virtualisation" "additionalPaths" ])
(mkRemovedOptionModule [ "virtualisation" "bootDevice" ] "This option was renamed to `virtualisation.rootDevice`, as it was incorrectly named and misleading. Take the time to review what you want to do and look at the new options like `virtualisation.{bootLoaderDevice, bootPartition}`, open an issue in case of issues.")
(mkRemovedOptionModule [ "virtualisation" "efiVars" ] "This option was removed, it is possible to provide a template UEFI variable with `virtualisation.efi.variables` ; if this option is important to you, open an issue")
(mkRemovedOptionModule [ "virtualisation" "persistBootDevice" ] "Boot device is always persisted if you use a bootloader through the root disk image ; if this does not work for your usecase, please examine carefully what `virtualisation.{bootDevice, rootDevice, bootPartition}` options offer you and open an issue explaining your need.`")
];
options = {
virtualisation.fileSystems = options.fileSystems;
virtualisation.memorySize =
mkOption {
type = types.ints.positive;
default = 1024;
description = ''
The memory size in megabytes of the virtual machine.
'';
};
virtualisation.msize =
mkOption {
type = types.ints.positive;
default = 16384;
description = ''
The msize (maximum packet size) option passed to 9p file systems, in
bytes. Increasing this should increase performance significantly,
at the cost of higher RAM usage.
'';
};
virtualisation.diskSize =
mkOption {
type = types.ints.positive;
default = 1024;
description = ''
The disk size in megabytes of the virtual machine.
'';
};
virtualisation.diskImage =
mkOption {
type = types.nullOr types.str;
default = "./${config.system.name}.qcow2";
defaultText = literalExpression ''"./''${config.system.name}.qcow2"'';
description = ''
Path to the disk image containing the root filesystem.
The image will be created on startup if it does not
exist.
If null, a tmpfs will be used as the root filesystem and
the VM's state will not be persistent.
'';
};
virtualisation.bootLoaderDevice =
mkOption {
type = types.path;
default = "/dev/disk/by-id/virtio-${rootDriveSerialAttr}";
defaultText = literalExpression ''/dev/disk/by-id/virtio-${rootDriveSerialAttr}'';
example = "/dev/disk/by-id/virtio-boot-loader-device";
description = ''
The path (inside th VM) to the device to boot from when legacy booting.
'';
};
virtualisation.bootPartition =
mkOption {
type = types.nullOr types.path;
default = if cfg.useEFIBoot then "/dev/disk/by-label/${espFilesystemLabel}" else null;
defaultText = literalExpression ''if cfg.useEFIBoot then "/dev/disk/by-label/${espFilesystemLabel}" else null'';
example = "/dev/disk/by-label/esp";
description = ''
The path (inside the VM) to the device containing the EFI System Partition (ESP).
If you are *not* booting from a UEFI firmware, this value is, by
default, `null`. The ESP is mounted to `boot.loader.efi.efiSysMountpoint`.
'';
};
virtualisation.rootDevice =
mkOption {
type = types.nullOr types.path;
default = "/dev/disk/by-label/${rootFilesystemLabel}";
defaultText = literalExpression ''/dev/disk/by-label/${rootFilesystemLabel}'';
example = "/dev/disk/by-label/nixos";
description = ''
The path (inside the VM) to the device containing the root filesystem.
'';
};
virtualisation.emptyDiskImages =
mkOption {
type = types.listOf types.ints.positive;
default = [];
description = ''
Additional disk images to provide to the VM. The value is
a list of size in megabytes of each disk. These disks are
writeable by the VM.
'';
};
virtualisation.graphics =
mkOption {
type = types.bool;
default = true;
description = ''
Whether to run QEMU with a graphics window, or in nographic mode.
Serial console will be enabled on both settings, but this will
change the preferred console.
'';
};
virtualisation.resolution =
mkOption {
type = options.services.xserver.resolutions.type.nestedTypes.elemType;
default = { x = 1024; y = 768; };
description = ''
The resolution of the virtual machine display.
'';
};
virtualisation.cores =
mkOption {
type = types.ints.positive;
default = 1;
description = ''
Specify the number of cores the guest is permitted to use.
The number can be higher than the available cores on the
host system.
'';
};
virtualisation.sharedDirectories =
mkOption {
type = types.attrsOf
(types.submodule {
options.source = mkOption {
type = types.str;
description = "The path of the directory to share, can be a shell variable";
};
options.target = mkOption {
type = types.path;
description = "The mount point of the directory inside the virtual machine";
};
options.securityModel = mkOption {
type = types.enum [ "passthrough" "mapped-xattr" "mapped-file" "none" ];
default = "mapped-xattr";
description = ''
The security model to use for this share:
- `passthrough`: files are stored using the same credentials as they are created on the guest (this requires QEMU to run as root)
- `mapped-xattr`: some of the file attributes like uid, gid, mode bits and link target are stored as file attributes
- `mapped-file`: the attributes are stored in the hidden .virtfs_metadata directory. Directories exported by this security model cannot interact with other unix tools
- `none`: same as "passthrough" except the sever won't report failures if it fails to set file attributes like ownership
'';
};
});
default = { };
example = {
my-share = { source = "/path/to/be/shared"; target = "/mnt/shared"; };
};
description = ''
An attributes set of directories that will be shared with the
virtual machine using VirtFS (9P filesystem over VirtIO).
The attribute name will be used as the 9P mount tag.
'';
};
virtualisation.additionalPaths =
mkOption {
type = types.listOf types.path;
default = [];
description = ''
A list of paths whose closure should be made available to
the VM.
When 9p is used, the closure is registered in the Nix
database in the VM. All other paths in the host Nix store
appear in the guest Nix store as well, but are considered
garbage (because they are not registered in the Nix
database of the guest).
When {option}`virtualisation.useNixStoreImage` is
set, the closure is copied to the Nix store image.
'';
};
virtualisation.forwardPorts = mkOption {
type = types.listOf
(types.submodule {
options.from = mkOption {
type = types.enum [ "host" "guest" ];
default = "host";
description = ''
Controls the direction in which the ports are mapped:
- `"host"` means traffic from the host ports
is forwarded to the given guest port.
- `"guest"` means traffic from the guest ports
is forwarded to the given host port.
'';
};
options.proto = mkOption {
type = types.enum [ "tcp" "udp" ];
default = "tcp";
description = "The protocol to forward.";
};
options.host.address = mkOption {
type = types.str;
default = "";
description = "The IPv4 address of the host.";
};
options.host.port = mkOption {
type = types.port;
description = "The host port to be mapped.";
};
options.guest.address = mkOption {
type = types.str;
default = "";
description = "The IPv4 address on the guest VLAN.";
};
options.guest.port = mkOption {
type = types.port;
description = "The guest port to be mapped.";
};
});
default = [];
example = lib.literalExpression
''
[ # forward local port 2222 -> 22, to ssh into the VM
{ from = "host"; host.port = 2222; guest.port = 22; }
# forward local port 80 -> 10.0.2.10:80 in the VLAN
{ from = "guest";
guest.address = "10.0.2.10"; guest.port = 80;
host.address = "127.0.0.1"; host.port = 80;
}
]
'';
description = ''
When using the SLiRP user networking (default), this option allows to
forward ports to/from the host/guest.
::: {.warning}
If the NixOS firewall on the virtual machine is enabled, you also
have to open the guest ports to enable the traffic between host and
guest.
:::
::: {.note}
Currently QEMU supports only IPv4 forwarding.
:::
'';
};
virtualisation.restrictNetwork =
mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If this option is enabled, the guest will be isolated, i.e. it will
not be able to contact the host and no guest IP packets will be
routed over the host to the outside. This option does not affect
any explicitly set forwarding rules.
'';
};
virtualisation.vlans =
mkOption {
type = types.listOf types.ints.unsigned;
default = if config.virtualisation.interfaces == {} then [ 1 ] else [ ];
defaultText = lib.literalExpression ''if config.virtualisation.interfaces == {} then [ 1 ] else [ ]'';
example = [ 1 2 ];
description = ''
Virtual networks to which the VM is connected. Each
number «N» in this list causes
the VM to have a virtual Ethernet interface attached to a
separate virtual network on which it will be assigned IP
address
`192.168.«N».«M»`,
where «M» is the index of this VM
in the list of VMs.
'';
};
virtualisation.interfaces = mkOption {
default = {};
example = {
enp1s0.vlan = 1;
};
description = ''
Network interfaces to add to the VM.
'';
type = with types; attrsOf (submodule {
options = {
vlan = mkOption {
type = types.ints.unsigned;
description = ''
VLAN to which the network interface is connected.
'';
};
assignIP = mkOption {
type = types.bool;
default = false;
description = ''
Automatically assign an IP address to the network interface using the same scheme as
virtualisation.vlans.
'';
};
};
});
};
virtualisation.writableStore =
mkOption {
type = types.bool;
default = cfg.mountHostNixStore;
defaultText = literalExpression "cfg.mountHostNixStore";
description = ''
If enabled, the Nix store in the VM is made writable by
layering an overlay filesystem on top of the host's Nix
store.
By default, this is enabled if you mount a host Nix store.
'';
};
virtualisation.writableStoreUseTmpfs =
mkOption {
type = types.bool;
default = true;
description = ''
Use a tmpfs for the writable store instead of writing to the VM's
own filesystem.
'';
};
networking.primaryIPAddress =
mkOption {
type = types.str;
default = "";
internal = true;
description = "Primary IP address used in /etc/hosts.";
};
networking.primaryIPv6Address =
mkOption {
type = types.str;
default = "";
internal = true;
description = "Primary IPv6 address used in /etc/hosts.";
};
virtualisation.host.pkgs = mkOption {
type = options.nixpkgs.pkgs.type;
default = pkgs;
defaultText = literalExpression "pkgs";
example = literalExpression ''
import pkgs.path { system = "x86_64-darwin"; }
'';
description = ''
Package set to use for the host-specific packages of the VM runner.
Changing this to e.g. a Darwin package set allows running NixOS VMs on Darwin.
'';
};
virtualisation.qemu = {
package =
mkOption {
type = types.package;
default = if hostPkgs.stdenv.hostPlatform.qemuArch == pkgs.stdenv.hostPlatform.qemuArch then hostPkgs.qemu_kvm else hostPkgs.qemu;
defaultText = literalExpression "if hostPkgs.stdenv.hostPlatform.qemuArch == pkgs.stdenv.hostPlatform.qemuArch then config.virtualisation.host.pkgs.qemu_kvm else config.virtualisation.host.pkgs.qemu";
example = literalExpression "pkgs.qemu_test";
description = "QEMU package to use.";
};
options =
mkOption {
type = types.listOf types.str;
default = [];
example = [ "-vga std" ];
description = ''
Options passed to QEMU.
See [QEMU User Documentation](https://www.qemu.org/docs/master/system/qemu-manpage) for a complete list.
'';
};
consoles = mkOption {
type = types.listOf types.str;
default = let
consoles = [ "${qemu-common.qemuSerialDevice},115200n8" "tty0" ];
in if cfg.graphics then consoles else reverseList consoles;
example = [ "console=tty1" ];
description = ''
The output console devices to pass to the kernel command line via the
`console` parameter, the primary console is the last
item of this list.
By default it enables both serial console and
`tty0`. The preferred console (last one) is based on
the value of {option}`virtualisation.graphics`.
'';
};
networkingOptions =
mkOption {
type = types.listOf types.str;
default = [ ];
example = [
"-net nic,netdev=user.0,model=virtio"
"-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
];
description = ''
Networking-related command-line options that should be passed to qemu.
The default is to use userspace networking (SLiRP).
See the [QEMU Wiki on Networking](https://wiki.qemu.org/Documentation/Networking) for details.
If you override this option, be advised to keep
`''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}` (as seen in the example)
to keep the default runtime behaviour.
'';
};
drives =
mkOption {
type = types.listOf (types.submodule driveOpts);
description = "Drives passed to qemu.";
};
diskInterface =
mkOption {
type = types.enum [ "virtio" "scsi" "ide" ];
default = "virtio";
example = "scsi";
description = "The interface used for the virtual hard disks.";
};
guestAgent.enable =
mkOption {
type = types.bool;
default = true;
description = ''
Enable the Qemu guest agent.
'';
};
virtioKeyboard =
mkOption {
type = types.bool;
default = true;
description = ''
Enable the virtio-keyboard device.
'';
};
};
virtualisation.useNixStoreImage =
mkOption {
type = types.bool;
default = false;
description = ''
Build and use a disk image for the Nix store, instead of
accessing the host's one through 9p.
For applications which do a lot of reads from the store,
this can drastically improve performance, but at the cost of
disk space and image build time.
The Nix store image is built just-in-time right before the VM is
started. Because it does not produce another derivation, the image is
not cached between invocations and never lands in the store or binary
cache.
If you want a full disk image with a partition table and a root
filesystem instead of only a store image, enable
{option}`virtualisation.useBootLoader` instead.
'';
};
virtualisation.mountHostNixStore =
mkOption {
type = types.bool;
default = !cfg.useNixStoreImage && !cfg.useBootLoader;
defaultText = literalExpression "!cfg.useNixStoreImage && !cfg.useBootLoader";
description = ''
Mount the host Nix store as a 9p mount.
'';
};
virtualisation.directBoot = {
enable =
mkOption {
type = types.bool;
default = !cfg.useBootLoader;
defaultText = "!cfg.useBootLoader";
description = ''
If enabled, the virtual machine will boot directly into the kernel instead of through a bootloader.
Read more about this feature in the [QEMU documentation on Direct Linux Boot](https://qemu-project.gitlab.io/qemu/system/linuxboot.html)
This is enabled by default.
If you want to test netboot, consider disabling this option.
Enable a bootloader with {option}`virtualisation.useBootLoader` if you need.
Relevant parameters such as those set in `boot.initrd` and `boot.kernelParams` are also passed to QEMU.
Additional parameters can be supplied on invocation through the environment variable `$QEMU_KERNEL_PARAMS`.
They are added to the `-append` option, see [QEMU User Documentation](https://www.qemu.org/docs/master/system/qemu-manpage) for details
For example, to let QEMU use the parent terminal as the serial console, set `QEMU_KERNEL_PARAMS="console=ttyS0"`.
This will not (re-)boot correctly into a system that has switched to a different configuration on disk.
'';
};
initrd =
mkOption {
type = types.str;
default = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}";
defaultText = "\${config.system.build.initialRamdisk}/\${config.system.boot.loader.initrdFile}";
description = ''
In direct boot situations, you may want to influence the initrd to load
to use your own customized payload.
This is useful if you want to test the netboot image without
testing the firmware or the loading part.
'';
};
};
virtualisation.useBootLoader =
mkOption {
type = types.bool;
default = false;
description = ''
Use a boot loader to boot the system.
This allows, among other things, testing the boot loader.
If disabled, the kernel and initrd are directly booted,
forgoing any bootloader.
Check the documentation on {option}`virtualisation.directBoot.enable` for details.
'';
};
virtualisation.installBootLoader =
mkOption {
type = types.bool;
default = cfg.useBootLoader && cfg.useDefaultFilesystems;
defaultText = "cfg.useBootLoader && cfg.useDefaultFilesystems";
description = ''
Install boot loader to target image.
This is best-effort and may break with unconventional partition setups.
Use `virtualisation.useDefaultFilesystems` for a known-working configuration.
'';
};
virtualisation.useEFIBoot =
mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the virtual machine will provide a EFI boot
manager.
useEFIBoot is ignored if useBootLoader == false.
'';
};
virtualisation.efi = {
OVMF = mkOption {
type = types.package;
default = (pkgs.OVMF.override {
secureBoot = cfg.useSecureBoot;
}).fd;
defaultText = ''(pkgs.OVMF.override {
secureBoot = cfg.useSecureBoot;
}).fd'';
description = "OVMF firmware package, defaults to OVMF configured with secure boot if needed.";
};
firmware = mkOption {
type = types.path;
default = cfg.efi.OVMF.firmware;
defaultText = literalExpression "cfg.efi.OVMF.firmware";
description = ''
Firmware binary for EFI implementation, defaults to OVMF.
'';
};
variables = mkOption {
type = types.path;
default = cfg.efi.OVMF.variables;
defaultText = literalExpression "cfg.efi.OVMF.variables";
description = ''
Platform-specific flash binary for EFI variables, implementation-dependent to the EFI firmware.
Defaults to OVMF.
'';
};
keepVariables = mkOption {
type = types.bool;
default = cfg.useBootLoader;
defaultText = literalExpression "cfg.useBootLoader";
description = "Whether to keep EFI variable values from the generated system image";
};
};
virtualisation.tpm = {
enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm";
package = mkPackageOption cfg.host.pkgs "swtpm" { };
deviceModel = mkOption {
type = types.str;
default = ({
"i686-linux" = "tpm-tis";
"x86_64-linux" = "tpm-tis";
"ppc64-linux" = "tpm-spapr";
"armv7-linux" = "tpm-tis-device";
"aarch64-linux" = "tpm-tis-device";
}.${pkgs.stdenv.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU"));
defaultText = ''
Based on the guest platform Linux system:
- `tpm-tis` for (i686, x86_64)
- `tpm-spapr` for ppc64
- `tpm-tis-device` for (armv7, aarch64)
'';
example = "tpm-tis-device";
description = "QEMU device model for the TPM, uses the appropriate default based on th guest platform system and the package passed.";
};
};
virtualisation.useDefaultFilesystems =
mkOption {
type = types.bool;
default = true;
description = ''
If enabled, the boot disk of the virtual machine will be
formatted and mounted with the default filesystems for
testing. Swap devices and LUKS will be disabled.
If disabled, a root filesystem has to be specified and
formatted (for example in the initial ramdisk).
'';
};
virtualisation.useSecureBoot =
mkOption {
type = types.bool;
default = false;
description = ''
Enable Secure Boot support in the EFI firmware.
'';
};
virtualisation.bios =
mkOption {
type = types.nullOr types.package;
default = null;
description = ''
An alternate BIOS (such as `qboot`) with which to start the VM.
Should contain a file named `bios.bin`.
If `null`, QEMU's builtin SeaBIOS will be used.
'';
};
virtualisation.useHostCerts =
mkOption {
type = types.bool;
default = false;
description = ''
If enabled, when `NIX_SSL_CERT_FILE` is set on the host,
pass the CA certificates from the host to the VM.
'';
};
};
config = {
assertions =
lib.concatLists (lib.flip lib.imap cfg.forwardPorts (i: rule:
[
{ assertion = rule.from == "guest" -> rule.proto == "tcp";
message =
''
Invalid virtualisation.forwardPorts.<entry ${toString i}>.proto:
Guest forwarding supports only TCP connections.
'';
}
{ assertion = rule.from == "guest" -> lib.hasPrefix "10.0.2." rule.guest.address;
message =
''
Invalid virtualisation.forwardPorts.<entry ${toString i}>.guest.address:
The address must be in the default VLAN (10.0.2.0/24).
'';
}
])) ++ [
{ assertion = pkgs.stdenv.hostPlatform.is32bit -> cfg.memorySize < 2047;
message = ''
virtualisation.memorySize is above 2047, but qemu is only able to allocate 2047MB RAM on 32bit max.
'';
}
{ assertion = cfg.directBoot.enable || cfg.directBoot.initrd == options.virtualisation.directBoot.initrd.default;
message =
''
You changed the default of `virtualisation.directBoot.initrd` but you are not
using QEMU direct boot. This initrd will not be used in your current