diff options
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/docker.nix | 12 | ||||
-rw-r--r-- | nixos/modules/virtualisation/lxd.nix | 14 | ||||
-rw-r--r-- | nixos/modules/virtualisation/nixos-containers.nix | 8 | ||||
-rw-r--r-- | nixos/modules/virtualisation/podman/default.nix | 5 | ||||
-rw-r--r-- | nixos/modules/virtualisation/proxmox-image.nix | 10 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 50 | ||||
-rw-r--r-- | nixos/modules/virtualisation/vmware-guest.nix | 4 |
7 files changed, 80 insertions, 23 deletions
diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 046b8e2f79010..20f47a76c87b9 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -158,6 +158,15 @@ in Docker package to be used in the module. ''; }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + example = literalExpression "with pkgs; [ criu ]"; + description = lib.mdDoc '' + Extra packages to add to PATH for the docker daemon process. + ''; + }; }; ###### implementation @@ -194,7 +203,8 @@ in }; path = [ pkgs.kmod ] ++ optional (cfg.storageDriver == "zfs") pkgs.zfs - ++ optional cfg.enableNvidia pkgs.nvidia-docker; + ++ optional cfg.enableNvidia pkgs.nvidia-docker + ++ cfg.extraPackages; }; systemd.sockets.docker = { diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index c06716e5eb605..e22ba9a0ae2ca 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -85,6 +85,14 @@ in { considered failed and systemd will attempt to restart it. ''; }; + + ui = { + enable = lib.mkEnableOption (lib.mdDoc '' + Enables the (experimental) LXD UI. + ''); + + package = mkPackageOption pkgs.lxd-unwrapped "ui" { }; + }; }; }; @@ -143,6 +151,10 @@ in { path = [ pkgs.util-linux ] ++ optional cfg.zfsSupport config.boot.zfs.package; + environment = mkIf (cfg.ui.enable) { + "LXD_UI" = cfg.ui.package; + }; + serviceConfig = { ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd"; ExecStartPost = "${cfg.package}/bin/lxd waitready --timeout=${cfg.startTimeout}"; @@ -177,7 +189,7 @@ in { "fs.inotify.max_queued_events" = 1048576; "fs.inotify.max_user_instances" = 1048576; "fs.inotify.max_user_watches" = 1048576; - "vm.max_map_count" = 262144; + "vm.max_map_count" = 262144; # TODO: Default vm.max_map_count has been increased system-wide "kernel.dmesg_restrict" = 1; "net.ipv4.neigh.default.gc_thresh3" = 8192; "net.ipv6.neigh.default.gc_thresh3" = 8192; diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index c3949564d4bde..5df9942dbc049 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -800,14 +800,14 @@ in # declarative containers ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let containerConfig = cfg // ( - if cfg.enableTun then + optionalAttrs cfg.enableTun { allowedDevices = cfg.allowedDevices ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ]; additionalCapabilities = cfg.additionalCapabilities ++ [ "CAP_NET_ADMIN" ]; } - else {}); + ); in recursiveUpdate unit { preStart = preStartScript containerConfig; @@ -817,7 +817,7 @@ in unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i"; environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i"; } // ( - if containerConfig.autoStart then + optionalAttrs containerConfig.autoStart { wantedBy = [ "machines.target" ]; wants = [ "network.target" ]; @@ -828,7 +828,7 @@ in ]; restartIfChanged = true; } - else {}) + ) )) config.containers) )); diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index c3fae4bac41b3..ec0b713e58b38 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -206,6 +206,11 @@ in systemd.user.sockets.podman.wantedBy = [ "sockets.target" ]; + systemd.timers.podman-prune.timerConfig = lib.mkIf cfg.autoPrune.enable { + Persistent = true; + RandomizedDelaySec = 1800; + }; + systemd.tmpfiles.packages = [ # The /run/podman rule interferes with our podman group, so we remove # it and let the systemd socket logic take care of it. diff --git a/nixos/modules/virtualisation/proxmox-image.nix b/nixos/modules/virtualisation/proxmox-image.nix index ad18d765594c0..1ea5434c84267 100644 --- a/nixos/modules/virtualisation/proxmox-image.nix +++ b/nixos/modules/virtualisation/proxmox-image.nix @@ -126,10 +126,12 @@ with lib; qemuExtraConf = mkOption { type = with types; attrsOf (oneOf [ str int ]); default = {}; - example = literalExpression ''{ - cpu = "host"; - onboot = 1; - }''; + example = literalExpression '' + { + cpu = "host"; + onboot = 1; + } + ''; description = lib.mdDoc '' Additional options appended to qemu-server.conf ''; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index f576676fa335c..d0a5ddd87ccf6 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -18,6 +18,8 @@ let qemu = cfg.qemu.package; + hostPkgs = cfg.host.pkgs; + consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles; driveOpts = { ... }: { @@ -84,9 +86,9 @@ let # Shell script to start the VM. startVM = '' - #! ${cfg.host.pkgs.runtimeShell} + #! ${hostPkgs.runtimeShell} - export PATH=${makeBinPath [ cfg.host.pkgs.coreutils ]}''${PATH:+:}$PATH + export PATH=${makeBinPath [ hostPkgs.coreutils ]}''${PATH:+:}$PATH set -e @@ -97,7 +99,7 @@ let local size=$2 local temp=$(mktemp) ${qemu}/bin/qemu-img create -f raw "$temp" "$size" - ${pkgs.e2fsprogs}/bin/mkfs.ext4 -L ${rootFilesystemLabel} "$temp" + ${hostPkgs.e2fsprogs}/bin/mkfs.ext4 -L ${rootFilesystemLabel} "$temp" ${qemu}/bin/qemu-img convert -f raw -O qcow2 "$temp" "$name" rm "$temp" } @@ -142,17 +144,17 @@ let else '' ( cd ${builtins.storeDir} - ${pkgs.erofs-utils}/bin/mkfs.erofs \ + ${hostPkgs.erofs-utils}/bin/mkfs.erofs \ --force-uid=0 \ --force-gid=0 \ -L ${nixStoreFilesystemLabel} \ -U eb176051-bd15-49b7-9e6b-462e0b467019 \ -T 0 \ --exclude-regex="$( - <${pkgs.closureInfo { rootPaths = [ config.system.build.toplevel regInfo ]; }}/store-paths \ + <${hostPkgs.closureInfo { rootPaths = [ config.system.build.toplevel regInfo ]; }}/store-paths \ sed -e 's^.*/^^g' \ | cut -c -10 \ - | ${pkgs.python3}/bin/python ${./includes-to-excludes.py} )" \ + | ${hostPkgs.python3}/bin/python ${./includes-to-excludes.py} )" \ "$TMPDIR"/store.img \ . \ </dev/null >/dev/null @@ -164,6 +166,16 @@ let # Create a directory for exchanging data with the VM. mkdir -p "$TMPDIR/xchg" + ${lib.optionalString cfg.useHostCerts + '' + mkdir -p "$TMPDIR/certs" + if [ -e "$NIX_SSL_CERT_FILE" ]; then + cp -L "$NIX_SSL_CERT_FILE" "$TMPDIR"/certs/ca-certificates.crt + else + echo \$NIX_SSL_CERT_FILE should point to a valid file if virtualisation.useHostCerts is enabled. + fi + ''} + ${lib.optionalString cfg.useEFIBoot '' # Expose EFI variables, it's useful even when we are not using a bootloader (!). @@ -214,7 +226,7 @@ let ''; - regInfo = pkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; }; + regInfo = hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; }; # Use well-defined and persistent filesystem labels to identify block devices. rootFilesystemLabel = "nixos"; @@ -644,7 +656,7 @@ in package = mkOption { type = types.package; - default = cfg.host.pkgs.qemu_kvm; + default = hostPkgs.qemu_kvm; defaultText = literalExpression "config.virtualisation.host.pkgs.qemu_kvm"; example = literalExpression "pkgs.qemu_test"; description = lib.mdDoc "QEMU package to use."; @@ -875,7 +887,6 @@ in ''; }; - virtualisation.bios = mkOption { type = types.nullOr types.package; @@ -888,6 +899,17 @@ in ''; }; + virtualisation.useHostCerts = + mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc '' + If enabled, when `NIX_SSL_CERT_FILE` is set on the host, + pass the CA certificates from the host to the VM. + ''; + }; + }; config = { @@ -1022,8 +1044,14 @@ in source = ''"''${SHARED_DIR:-$TMPDIR/xchg}"''; target = "/tmp/shared"; }; + certs = mkIf cfg.useHostCerts { + source = ''"$TMPDIR"/certs''; + target = "/etc/ssl/certs"; + }; }; + security.pki.installCACerts = mkIf cfg.useHostCerts false; + virtualisation.qemu.networkingOptions = let forwardingOptions = flip concatMapStrings cfg.forwardPorts @@ -1180,14 +1208,14 @@ in services.qemuGuest.enable = cfg.qemu.guestAgent.enable; - system.build.vm = cfg.host.pkgs.runCommand "nixos-vm" { + system.build.vm = hostPkgs.runCommand "nixos-vm" { preferLocalBuild = true; meta.mainProgram = "run-${config.system.name}-vm"; } '' mkdir -p $out/bin ln -s ${config.system.build.toplevel} $out/system - ln -s ${cfg.host.pkgs.writeScript "run-nixos-vm" startVM} $out/bin/run-${config.system.name}-vm + ln -s ${hostPkgs.writeScript "run-nixos-vm" startVM} $out/bin/run-${config.system.name}-vm ''; # When building a regular system configuration, override whatever diff --git a/nixos/modules/virtualisation/vmware-guest.nix b/nixos/modules/virtualisation/vmware-guest.nix index b8f0a4cf668ef..6880a257c2be6 100644 --- a/nixos/modules/virtualisation/vmware-guest.nix +++ b/nixos/modules/virtualisation/vmware-guest.nix @@ -24,12 +24,12 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = pkgs.stdenv.hostPlatform.isx86; + assertion = pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isAarch64; message = "VMWare guest is not currently supported on ${pkgs.stdenv.hostPlatform.system}"; } ]; boot.initrd.availableKernelModules = [ "mptspi" ]; - boot.initrd.kernelModules = [ "vmw_pvscsi" ]; + boot.initrd.kernelModules = lib.optionals pkgs.stdenv.hostPlatform.isx86 [ "vmw_pvscsi" ]; environment.systemPackages = [ open-vm-tools ]; |