pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.virtualisation.virtualbox.host;
7 virtualbox = config.boot.kernelPackages.virtualbox.override {
8 inherit (cfg) enableHardening headless;
9 };
10
11in
12
13{
14 options.virtualisation.virtualbox.host = {
15 enable = mkOption {
16 type = types.bool;
17 default = false;
18 description = ''
19 Whether to enable VirtualBox.
20
21 <note><para>
22 In order to pass USB devices from the host to the guests, the user
23 needs to be in the <literal>vboxusers</literal> group.
24 </para></note>
25 '';
26 };
27
28 addNetworkInterface = mkOption {
29 type = types.bool;
30 default = true;
31 description = ''
32 Automatically set up a vboxnet0 host-only network interface.
33 '';
34 };
35
36 enableHardening = mkOption {
37 type = types.bool;
38 default = true;
39 description = ''
40 Enable hardened VirtualBox, which ensures that only the binaries in the
41 system path get access to the devices exposed by the kernel modules
42 instead of all users in the vboxusers group.
43
44 <important><para>
45 Disabling this can put your system's security at risk, as local users
46 in the vboxusers group can tamper with the VirtualBox device files.
47 </para></important>
48 '';
49 };
50
51 headless = mkOption {
52 type = types.bool;
53 default = false;
54 description = ''
55 Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
56 and when virtual machines are controlled only via SSH.
57 '';
58 };
59 };
60
61 config = mkIf cfg.enable (mkMerge [{
62 boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
63 boot.extraModulePackages = [ virtualbox ];
64 environment.systemPackages = [ virtualbox ];
65
66 security.setuidOwners = let
67 mkSuid = program: {
68 inherit program;
69 source = "${virtualbox}/libexec/virtualbox/${program}";
70 owner = "root";
71 group = "vboxusers";
72 setuid = true;
73 };
74 in mkIf cfg.enableHardening (map mkSuid [
75 "VBoxHeadless"
76 "VBoxNetAdpCtl"
77 "VBoxNetDHCP"
78 "VBoxNetNAT"
79 "VBoxSDL"
80 "VBoxVolInfo"
81 "VirtualBox"
82 ]);
83
84 users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
85
86 services.udev.extraRules =
87 ''
88 KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
89 KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
90 KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
91 SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
92 SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
93 SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
94 SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
95 '';
96
97 # Since we lack the right setuid binaries, set up a host-only network by default.
98 } (mkIf cfg.addNetworkInterface {
99 systemd.services."vboxnet0" =
100 { description = "VirtualBox vboxnet0 Interface";
101 requires = [ "dev-vboxnetctl.device" ];
102 after = [ "dev-vboxnetctl.device" ];
103 wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
104 path = [ virtualbox ];
105 serviceConfig.RemainAfterExit = true;
106 serviceConfig.Type = "oneshot";
107 serviceConfig.PrivateTmp = true;
108 environment.VBOX_USER_HOME = "/tmp";
109 script =
110 ''
111 if ! [ -e /sys/class/net/vboxnet0 ]; then
112 VBoxManage hostonlyif create
113 cat /tmp/VBoxSVC.log >&2
114 fi
115 '';
116 postStop =
117 ''
118 VBoxManage hostonlyif remove vboxnet0
119 '';
120 };
121
122 networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
123 # Make sure NetworkManager won't assume this interface being up
124 # means we have internet access.
125 networking.networkmanager.unmanaged = ["vboxnet0"];
126 })]);
127}