nixos/modules/virtualisation/virtualbox-host.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / virtualbox-host.nix
at 18.09-beta 5.2 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.virtualisation.virtualbox.host;
  7
  8  virtualbox = cfg.package.override {
  9    inherit (cfg) enableHardening headless;
 10    extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null;
 11  };
 12
 13  kernelModules = config.boot.kernelPackages.virtualbox.override {
 14    inherit virtualbox;
 15  };
 16
 17in
 18
 19{
 20  options.virtualisation.virtualbox.host = {
 21    enable = mkEnableOption "VirtualBox" // {
 22      description = ''
 23        Whether to enable VirtualBox.
 24
 25        <note><para>
 26          In order to pass USB devices from the host to the guests, the user
 27          needs to be in the <literal>vboxusers</literal> group.
 28        </para></note>
 29      '';
 30    };
 31
 32    enableExtensionPack = mkEnableOption "VirtualBox extension pack" // {
 33      description = ''
 34        Whether to install the Oracle Extension Pack for VirtualBox.
 35
 36        <important><para>
 37          You must set <literal>nixpkgs.config.allowUnfree = true</literal> in
 38          order to use this.  This requires you accept the VirtualBox PUEL.
 39        </para></important>
 40      '';
 41    };
 42
 43    package = mkOption {
 44      type = types.package;
 45      default = pkgs.virtualbox;
 46      defaultText = "pkgs.virtualbox";
 47      description = ''
 48        Which VirtualBox package to use.
 49      '';
 50    };
 51
 52    addNetworkInterface = mkOption {
 53      type = types.bool;
 54      default = true;
 55      description = ''
 56        Automatically set up a vboxnet0 host-only network interface.
 57      '';
 58    };
 59
 60    enableHardening = mkOption {
 61      type = types.bool;
 62      default = true;
 63      description = ''
 64        Enable hardened VirtualBox, which ensures that only the binaries in the
 65        system path get access to the devices exposed by the kernel modules
 66        instead of all users in the vboxusers group.
 67
 68        <important><para>
 69          Disabling this can put your system's security at risk, as local users
 70          in the vboxusers group can tamper with the VirtualBox device files.
 71        </para></important>
 72      '';
 73    };
 74
 75    headless = mkOption {
 76      type = types.bool;
 77      default = false;
 78      description = ''
 79        Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
 80        and when virtual machines are controlled only via SSH.
 81      '';
 82    };
 83  };
 84
 85  config = mkIf cfg.enable (mkMerge [{
 86    boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
 87    boot.extraModulePackages = [ kernelModules ];
 88    environment.systemPackages = [ virtualbox ];
 89
 90    security.wrappers = let
 91      mkSuid = program: {
 92        source = "${virtualbox}/libexec/virtualbox/${program}";
 93        owner = "root";
 94        group = "vboxusers";
 95        setuid = true;
 96      };
 97    in mkIf cfg.enableHardening
 98      (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [
 99      "VBoxHeadless"
100      "VBoxNetAdpCtl"
101      "VBoxNetDHCP"
102      "VBoxNetNAT"
103      "VBoxSDL"
104      "VBoxVolInfo"
105      "VirtualBox"
106    ]));
107
108    users.groups.vboxusers.gid = config.ids.gids.vboxusers;
109
110    services.udev.extraRules =
111      ''
112        KERNEL=="vboxdrv",    OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
113        KERNEL=="vboxdrvu",   OWNER="root", GROUP="root",      MODE="0666", TAG+="systemd"
114        KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
115        SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
116        SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
117        SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
118        SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
119      '';
120
121    # Since we lack the right setuid/setcap binaries, set up a host-only network by default.
122  } (mkIf cfg.addNetworkInterface {
123    systemd.services."vboxnet0" =
124      { description = "VirtualBox vboxnet0 Interface";
125        requires = [ "dev-vboxnetctl.device" ];
126        after = [ "dev-vboxnetctl.device" ];
127        wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
128        path = [ virtualbox ];
129        serviceConfig.RemainAfterExit = true;
130        serviceConfig.Type = "oneshot";
131        serviceConfig.PrivateTmp = true;
132        environment.VBOX_USER_HOME = "/tmp";
133        script =
134          ''
135            if ! [ -e /sys/class/net/vboxnet0 ]; then
136              VBoxManage hostonlyif create
137              cat /tmp/VBoxSVC.log >&2
138            fi
139          '';
140        postStop =
141          ''
142            VBoxManage hostonlyif remove vboxnet0
143          '';
144      };
145
146    networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }];
147    # Make sure NetworkManager won't assume this interface being up
148    # means we have internet access.
149    networking.networkmanager.unmanaged = ["vboxnet0"];
150  })]);
151}