pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / virtualbox-host.nix
at 22.05-pre 5.8 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.virtualisation.virtualbox.host; 7 8 virtualbox = cfg.package.override { 9 inherit (cfg) enableHardening headless enableWebService; 10 extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null; 11 }; 12 13 kernelModules = config.boot.kernelPackages.virtualbox.override { 14 inherit virtualbox; 15 }; 16 17in 18 19{ 20 options.virtualisation.virtualbox.host = { 21 enable = mkEnableOption "VirtualBox" // { 22 description = '' 23 Whether to enable VirtualBox. 24 25 <note><para> 26 In order to pass USB devices from the host to the guests, the user 27 needs to be in the <literal>vboxusers</literal> group. 28 </para></note> 29 ''; 30 }; 31 32 enableExtensionPack = mkEnableOption "VirtualBox extension pack" // { 33 description = '' 34 Whether to install the Oracle Extension Pack for VirtualBox. 35 36 <important><para> 37 You must set <literal>nixpkgs.config.allowUnfree = true</literal> in 38 order to use this. This requires you accept the VirtualBox PUEL. 39 </para></important> 40 ''; 41 }; 42 43 package = mkOption { 44 type = types.package; 45 default = pkgs.virtualbox; 46 defaultText = literalExpression "pkgs.virtualbox"; 47 description = '' 48 Which VirtualBox package to use. 49 ''; 50 }; 51 52 addNetworkInterface = mkOption { 53 type = types.bool; 54 default = true; 55 description = '' 56 Automatically set up a vboxnet0 host-only network interface. 57 ''; 58 }; 59 60 enableHardening = mkOption { 61 type = types.bool; 62 default = true; 63 description = '' 64 Enable hardened VirtualBox, which ensures that only the binaries in the 65 system path get access to the devices exposed by the kernel modules 66 instead of all users in the vboxusers group. 67 68 <important><para> 69 Disabling this can put your system's security at risk, as local users 70 in the vboxusers group can tamper with the VirtualBox device files. 71 </para></important> 72 ''; 73 }; 74 75 headless = mkOption { 76 type = types.bool; 77 default = false; 78 description = '' 79 Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers 80 and when virtual machines are controlled only via SSH. 81 ''; 82 }; 83 84 enableWebService = mkOption { 85 type = types.bool; 86 default = false; 87 description = '' 88 Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers. 89 ''; 90 }; 91 }; 92 93 config = mkIf cfg.enable (mkMerge [{ 94 warnings = mkIf (config.nixpkgs.config.virtualbox.enableExtensionPack or false) 95 ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"]; 96 boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; 97 boot.extraModulePackages = [ kernelModules ]; 98 environment.systemPackages = [ virtualbox ]; 99 100 security.wrappers = let 101 mkSuid = program: { 102 source = "${virtualbox}/libexec/virtualbox/${program}"; 103 owner = "root"; 104 group = "vboxusers"; 105 setuid = true; 106 }; 107 in mkIf cfg.enableHardening 108 (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [ 109 "VBoxHeadless" 110 "VBoxNetAdpCtl" 111 "VBoxNetDHCP" 112 "VBoxNetNAT" 113 "VBoxSDL" 114 "VBoxVolInfo" 115 "VirtualBoxVM" 116 ])); 117 118 users.groups.vboxusers.gid = config.ids.gids.vboxusers; 119 120 services.udev.extraRules = 121 '' 122 KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 123 KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" 124 KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 125 SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 126 SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 127 SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 128 SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 129 ''; 130 131 # Since we lack the right setuid/setcap binaries, set up a host-only network by default. 132 } (mkIf cfg.addNetworkInterface { 133 systemd.services.vboxnet0 = 134 { description = "VirtualBox vboxnet0 Interface"; 135 requires = [ "dev-vboxnetctl.device" ]; 136 after = [ "dev-vboxnetctl.device" ]; 137 wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; 138 path = [ virtualbox ]; 139 serviceConfig.RemainAfterExit = true; 140 serviceConfig.Type = "oneshot"; 141 serviceConfig.PrivateTmp = true; 142 environment.VBOX_USER_HOME = "/tmp"; 143 script = 144 '' 145 if ! [ -e /sys/class/net/vboxnet0 ]; then 146 VBoxManage hostonlyif create 147 cat /tmp/VBoxSVC.log >&2 148 fi 149 ''; 150 postStop = 151 '' 152 VBoxManage hostonlyif remove vboxnet0 153 ''; 154 }; 155 156 networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }]; 157 # Make sure NetworkManager won't assume this interface being up 158 # means we have internet access. 159 networking.networkmanager.unmanaged = ["vboxnet0"]; 160 }) (mkIf config.networking.useNetworkd { 161 systemd.network.networks."40-vboxnet0".extraConfig = '' 162 [Link] 163 RequiredForOnline=no 164 ''; 165 }) 166 167]); 168}