diff options
Diffstat (limited to 'nixos/modules/virtualisation')
18 files changed, 181 insertions, 70 deletions
diff --git a/nixos/modules/virtualisation/containerd.nix b/nixos/modules/virtualisation/containerd.nix index ea89a994b172a..73fb9f3b55d2f 100644 --- a/nixos/modules/virtualisation/containerd.nix +++ b/nixos/modules/virtualisation/containerd.nix @@ -84,7 +84,6 @@ in # "limits" defined below are adopted from upstream: https://github.com/containerd/containerd/blob/master/containerd.service LimitNPROC = "infinity"; LimitCORE = "infinity"; - LimitNOFILE = "infinity"; TasksMax = "infinity"; OOMScoreAdjust = "-999"; diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 65620dd3935b8..c3639f660dfe3 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -53,13 +53,6 @@ in storage.settings = mkOption { type = toml.type; - default = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/containers/storage"; - runroot = "/run/containers/storage"; - }; - }; description = "storage.conf configuration"; }; @@ -124,6 +117,12 @@ in }; }; + virtualisation.containers.storage.settings.storage = { + driver = lib.mkDefault "overlay"; + graphroot = lib.mkDefault "/var/lib/containers/storage"; + runroot = lib.mkDefault "/run/containers/storage"; + }; + environment.etc = { "containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings; diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index bcc649dcbec0a..8a0894ed85c3d 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -244,8 +244,8 @@ in }; assertions = [ - { assertion = cfg.enableNvidia && pkgs.stdenv.isx86_64 -> config.hardware.opengl.driSupport32Bit or false; - message = "Option enableNvidia on x86_64 requires 32bit support libraries"; + { assertion = cfg.enableNvidia && pkgs.stdenv.isx86_64 -> config.hardware.graphics.enable32Bit or false; + message = "Option enableNvidia on x86_64 requires 32-bit support libraries"; }]; virtualisation.docker.daemon.settings = { diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index 4d04853d20a56..2b69a7a076585 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -105,6 +105,37 @@ let path = "${pkgs.OVMFFull.fd}/FV/${ovmf-prefix}_VARS.fd"; } ]; + + environment = lib.mkMerge [ + { + INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; + INCUS_OVMF_PATH = ovmf; + INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; + PATH = lib.mkForce serverBinPath; + } + (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) + ]; + + incus-startup = pkgs.writeShellScript "incus-startup" '' + case "$1" in + start) + systemctl is-active incus.service -q && exit 0 + exec incusd activateifneeded + ;; + + stop) + systemctl is-active incus.service -q || exit 0 + exec incusd shutdown + ;; + + *) + echo "unknown argument \`$1'" >&2 + exit 1 + ;; + esac + + exit 0 + ''; in { meta = { @@ -118,7 +149,7 @@ in Users in the "incus-admin" group can interact with the daemon (e.g. to start or stop containers) using the - {command}`incus` command line tool, among others. + {command}`incus` command line tool, among others ''; package = lib.mkPackageOption pkgs "incus-lts" { }; @@ -137,6 +168,14 @@ in description = "The incus client package to use. This package is added to PATH."; }; + softDaemonRestart = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Allow for incus.service to be stopped without affecting running instances. + ''; + }; + preseed = lib.mkOption { type = lib.types.nullOr (lib.types.submodule { freeformType = preseedFormat.type; }); @@ -282,6 +321,8 @@ in systemd.services.incus = { description = "Incus Container and Virtual Machine Management Daemon"; + inherit environment; + wantedBy = lib.mkIf (!cfg.socketActivation) [ "multi-user.target" ]; after = [ "network-online.target" @@ -296,20 +337,10 @@ in wants = [ "network-online.target" ]; - environment = lib.mkMerge [ - { - INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; - INCUS_OVMF_PATH = ovmf; - INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; - PATH = lib.mkForce serverBinPath; - } - (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) - ]; - serviceConfig = { ExecStart = "${cfg.package}/bin/incusd --group incus-admin"; ExecStartPost = "${cfg.package}/bin/incusd waitready --timeout=${cfg.startTimeout}"; - ExecStop = "${cfg.package}/bin/incus admin shutdown"; + ExecStop = lib.optionalString (!cfg.softDaemonRestart) "${cfg.package}/bin/incus admin shutdown"; KillMode = "process"; # when stopping, leave the containers alone Delegate = "yes"; @@ -324,6 +355,27 @@ in }; }; + systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart { + description = "Incus Instances Startup/Shutdown"; + + inherit environment; + + after = [ + "incus.service" + "incus.socket" + ]; + requires = [ "incus.socket" ]; + + serviceConfig = { + ExecStart = "${incus-startup} start"; + ExecStop = "${incus-startup} stop"; + RemainAfterExit = true; + TimeoutStartSec = "600s"; + TimeoutStopSec = "600s"; + Type = "oneshot"; + }; + }; + systemd.sockets.incus = { description = "Incus UNIX socket"; wantedBy = [ "sockets.target" ]; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 226ece8176708..9fbb126738a93 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -332,6 +332,14 @@ in libvirt NSS module options. ''; }; + + sshProxy = mkOption { + type = types.bool; + default = true; + description = '' + Weither to configure OpenSSH to use the [SSH Proxy](https://libvirt.org/ssh-proxy.html). + ''; + }; }; @@ -382,6 +390,10 @@ in source = "${cfg.qemu.package}/libexec/qemu-bridge-helper"; }; + programs.ssh.extraConfig = mkIf cfg.sshProxy '' + Include ${cfg.package}/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf + ''; + systemd.packages = [ cfg.package ]; systemd.services.libvirtd-config = { diff --git a/nixos/modules/virtualisation/lxc-image-metadata.nix b/nixos/modules/virtualisation/lxc-image-metadata.nix index 2c0568b4c4682..38d955798f3e0 100644 --- a/nixos/modules/virtualisation/lxc-image-metadata.nix +++ b/nixos/modules/virtualisation/lxc-image-metadata.nix @@ -87,10 +87,10 @@ in { contents = [ { source = toYAML "metadata.yaml" { - architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0; + architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.stdenv.hostPlatform.system)) 0; creation_date = 1; properties = { - description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}"; + description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.stdenv.hostPlatform.system}"; os = "${config.system.nixos.distroId}"; release = "${config.system.nixos.codeName}"; }; diff --git a/nixos/modules/virtualisation/lxd-agent.nix b/nixos/modules/virtualisation/lxd-agent.nix index 8d536e18a34e4..d319371478481 100644 --- a/nixos/modules/virtualisation/lxd-agent.nix +++ b/nixos/modules/virtualisation/lxd-agent.nix @@ -50,7 +50,7 @@ in { }; options = { - virtualisation.lxd.agent.enable = lib.mkEnableOption "Enable LXD agent"; + virtualisation.lxd.agent.enable = lib.mkEnableOption "LXD agent"; }; config = lib.mkIf cfg.enable { diff --git a/nixos/modules/virtualisation/multipass.nix b/nixos/modules/virtualisation/multipass.nix index 7918a716a870b..8a55282c88d8c 100644 --- a/nixos/modules/virtualisation/multipass.nix +++ b/nixos/modules/virtualisation/multipass.nix @@ -10,9 +10,7 @@ in { options = { virtualisation.multipass = { - enable = lib.mkEnableOption '' - Multipass, a simple manager for virtualised Ubuntu instances. - ''; + enable = lib.mkEnableOption "Multipass, a simple manager for virtualised Ubuntu instances"; logLevel = lib.mkOption { type = lib.types.enum [ "error" "warning" "info" "debug" "trace" ]; diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 4308d410c69c7..f4fa934231798 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -221,6 +221,13 @@ let example = "hello-world"; }; + preRunExtraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra options for {command}`${defaultBackend}` that go before the `run` argument."; + example = [ "--runtime" "runsc" ]; + }; + extraOptions = mkOption { type = with types; listOf str; default = []; @@ -284,7 +291,9 @@ let else throw "Unhandled backend: ${cfg.backend}"; script = concatStringsSep " \\\n " ([ - "exec ${cfg.backend} run" + "exec ${cfg.backend} " + ] ++ map escapeShellArg container.preRunExtraOptions ++ [ + "run" "--rm" "--name=${escapedName}" "--log-driver=${container.log-driver}" diff --git a/nixos/modules/virtualisation/oci-image.nix b/nixos/modules/virtualisation/oci-image.nix index d4af5016dd71c..1e2b90bfd46e2 100644 --- a/nixos/modules/virtualisation/oci-image.nix +++ b/nixos/modules/virtualisation/oci-image.nix @@ -9,10 +9,10 @@ in config = { system.build.OCIImage = import ../../lib/make-disk-image.nix { inherit config lib pkgs; + inherit (cfg) diskSize; name = "oci-image"; configFile = ./oci-config-user.nix; format = "qcow2"; - diskSize = 8192; partitionTableType = if cfg.efi then "efi" else "legacy"; }; diff --git a/nixos/modules/virtualisation/oci-options.nix b/nixos/modules/virtualisation/oci-options.nix index 0dfedc6a530c8..76f3475a42817 100644 --- a/nixos/modules/virtualisation/oci-options.nix +++ b/nixos/modules/virtualisation/oci-options.nix @@ -9,6 +9,12 @@ Whether the OCI instance is using EFI. ''; }; + diskSize = lib.mkOption { + type = lib.types.int; + default = 8192; + description = "Size of the disk image created in MB."; + example = "diskSize = 12 * 1024; # 12GiB"; + }; }; }; } diff --git a/nixos/modules/virtualisation/proxmox-image.nix b/nixos/modules/virtualisation/proxmox-image.nix index 6349bcef99e6b..01ad86c08cd78 100644 --- a/nixos/modules/virtualisation/proxmox-image.nix +++ b/nixos/modules/virtualisation/proxmox-image.nix @@ -16,7 +16,7 @@ with lib; }; scsihw = mkOption { type = types.str; - default = "virtio-scsi-pci"; + default = "virtio-scsi-single"; example = "lsi"; description = '' SCSI controller type. Must be one of the supported values given in @@ -158,6 +158,31 @@ with lib; any specific VMID. ''; }; + cloudInit = { + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether the VM should accept cloud init configurations from PVE. + ''; + }; + defaultStorage = mkOption { + default = "local-lvm"; + example = "tank"; + type = types.str; + description = '' + Default storage name for cloud init drive. + ''; + }; + device = mkOption { + default = "ide2"; + example = "scsi0"; + type = types.str; + description = '' + Bus/device to which the cloud init drive is attached. + ''; + }; + }; }; config = let @@ -216,37 +241,21 @@ with lib; seccompSupport = false; guestAgentSupport = false; }).overrideAttrs ( super: rec { - - version = "7.2.1"; + # Check https://github.com/proxmox/pve-qemu/tree/master for the version + # of qemu and patch to use + version = "8.1.5"; src = pkgs.fetchurl { - url= "https://download.qemu.org/qemu-${version}.tar.xz"; - sha256 = "sha256-jIVpms+dekOl/immTN1WNwsMLRrQdLr3CYqCTReq1zs="; + url = "https://download.qemu.org/qemu-${version}.tar.xz"; + hash = "sha256-l2Ox7+xP1JeWtQgNCINRLXDLY4nq1lxmHMNoalIjKJY="; }; patches = [ # Proxmox' VMA tool is published as a particular patch upon QEMU - (pkgs.fetchpatch { - url = - let - rev = "abb04bb6272c1202ca9face0827917552b9d06f6"; - path = "debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch"; - in "https://git.proxmox.com/?p=pve-qemu.git;a=blob_plain;hb=${rev};f=${path}"; - hash = "sha256-3d0HHdvaExCry6zcULnziYnWIAnn24vECkI4sjj2BMg="; - }) - - # Proxmox' VMA tool uses O_DIRECT which fails on tmpfs - # Filed to upstream issue tracker: https://bugzilla.proxmox.com/show_bug.cgi?id=4710 - (pkgs.writeText "inline.patch" '' - --- a/vma-writer.c 2023-05-01 15:11:13.361341177 +0200 - +++ b/vma-writer.c 2023-05-01 15:10:51.785293129 +0200 - @@ -306,7 +306,7 @@ - /* try to use O_NONBLOCK */ - fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK); - } else { - - oflags = O_NONBLOCK|O_DIRECT|O_WRONLY|O_EXCL; - + oflags = O_NONBLOCK|O_WRONLY|O_EXCL; - vmaw->fd = qemu_create(filename, oflags, 0644, errp); - } - '') + "${pkgs.fetchFromGitHub { + owner = "proxmox"; + repo = "pve-qemu"; + rev = "71dd2d48f9122e60e4c0a8480122a27aab15dc70"; + hash = "sha256-Q8AxNv4geDdlbVIWphRO5P3ESo0SGgvUpVPmPJzubJM="; + }}/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch" ]; buildInputs = super.buildInputs ++ [ pkgs.libuuid ]; @@ -262,7 +271,7 @@ with lib; mv "vzdump-qemu-${cfg.filenameSuffix}.vma.zst" $out/ mkdir -p $out/nix-support - echo "file vma $out/vzdump-qemu-${cfg.filenameSuffix}.vma.zst" >> $out/nix-support/hydra-build-products + echo "file vma $out/vzdump-qemu-${cfg.filenameSuffix}.vma.zst" > $out/nix-support/hydra-build-products ''; inherit (cfg.qemuConf) additionalSpace diskSize bootSize; format = "raw"; @@ -298,6 +307,20 @@ with lib; fsType = "vfat"; }; - services.qemuGuest.enable = lib.mkDefault true; + networking = mkIf cfg.cloudInit.enable { + hostName = mkForce ""; + useDHCP = false; + }; + + services = { + cloud-init = mkIf cfg.cloudInit.enable { + enable = true; + network.enable = true; + }; + sshd.enable = mkDefault true; + qemuGuest.enable = true; + }; + + proxmox.qemuExtraConf.${cfg.cloudInit.device} = "${cfg.cloudInit.defaultStorage}:vm-9999-cloudinit,media=cdrom"; }; } diff --git a/nixos/modules/virtualisation/proxmox-lxc.nix b/nixos/modules/virtualisation/proxmox-lxc.nix index 9b9f99e5b8172..ff1c0972166cf 100644 --- a/nixos/modules/virtualisation/proxmox-lxc.nix +++ b/nixos/modules/virtualisation/proxmox-lxc.nix @@ -55,6 +55,8 @@ with lib; loader.initScript.enable = true; }; + console.enable = true; + networking = mkIf (!cfg.manageNetwork) { useDHCP = false; useHostResolvConf = false; @@ -68,8 +70,13 @@ with lib; startWhenNeeded = mkDefault true; }; - systemd.mounts = mkIf (!cfg.privileged) - [{ where = "/sys/kernel/debug"; enable = false; }]; + systemd = { + mounts = mkIf (!cfg.privileged) [{ + enable = false; + where = "/sys/kernel/debug"; + }]; + services."getty@".unitConfig.ConditionPathExists = [ "" "/dev/%I" ]; + }; }; } diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index c30f4577fdd86..d1dc6404d4f51 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -900,7 +900,7 @@ in }; virtualisation.tpm = { - enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm."; + enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm"; package = mkPackageOption cfg.host.pkgs "swtpm" { }; @@ -912,7 +912,7 @@ in "ppc64-linux" = "tpm-spapr"; "armv7-linux" = "tpm-tis-device"; "aarch64-linux" = "tpm-tis-device"; - }.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); + }.${pkgs.stdenv.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); defaultText = '' Based on the guest platform Linux system: diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix index 255327f2622c9..1631a91ccf863 100644 --- a/nixos/modules/virtualisation/spice-usb-redirection.nix +++ b/nixos/modules/virtualisation/spice-usb-redirection.nix @@ -22,5 +22,5 @@ }; }; - meta.maintainers = [ lib.maintainers.lheckemann ]; + meta.maintainers = [ ]; } diff --git a/nixos/modules/virtualisation/vagrant-guest.nix b/nixos/modules/virtualisation/vagrant-guest.nix index 2fad376086e34..120a2a2324d21 100644 --- a/nixos/modules/virtualisation/vagrant-guest.nix +++ b/nixos/modules/virtualisation/vagrant-guest.nix @@ -11,8 +11,7 @@ let #!${pkgs.runtimeShell} if [ ! -e ~/.ssh/authorized_keys ]; then mkdir -m 0700 -p ~/.ssh - echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> ~/.ssh/authorized_keys - chmod 0600 ~/.ssh/authorized_keys + install -m 0600 <(echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key") ~/.ssh/authorized_keys fi ''; in diff --git a/nixos/modules/virtualisation/virtualbox-guest.nix b/nixos/modules/virtualisation/virtualbox-guest.nix index 649ff3abb9ae9..b4933cffa2c0c 100644 --- a/nixos/modules/virtualisation/virtualbox-guest.nix +++ b/nixos/modules/virtualisation/virtualbox-guest.nix @@ -31,7 +31,9 @@ let }; in { - ###### interface + imports = [ + (mkRenamedOptionModule [ "virtualisation" "virtualbox" "guest" "draganddrop" ] [ "virtualisation" "virtualbox" "guest" "dragAndDrop" ]) + ]; options.virtualisation.virtualbox.guest = { enable = mkOption { @@ -52,7 +54,7 @@ in description = "Whether to enable seamless mode. When activated windows from the guest appear next to the windows of the host."; }; - draganddrop = mkOption { + dragAndDrop = mkOption { default = true; type = types.bool; description = "Whether to enable drag and drop support."; @@ -111,5 +113,10 @@ in systemd.user.services.virtualboxClientSeamless = mkVirtualBoxUserService "--seamless"; } ) + ( + mkIf cfg.dragAndDrop { + systemd.user.services.virtualboxClientDragAndDrop = mkVirtualBoxUserService "--draganddrop"; + } + ) ]); } diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index 609799995c527..a34fe132ba7e1 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -134,7 +134,7 @@ in assertions = [ { assertion = !cfg.addNetworkInterface; - message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInferface."; + message = "VirtualBox KVM only supports standard NAT networking for VMs. Please turn off virtualisation.virtualbox.host.addNetworkInterface."; } { |