pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / virtualbox-host.nix
at 23.11-pre 5.9 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.virtualisation.virtualbox.host; 7 8 virtualbox = cfg.package.override { 9 inherit (cfg) enableHardening headless enableWebService; 10 extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null; 11 }; 12 13 kernelModules = config.boot.kernelPackages.virtualbox.override { 14 inherit virtualbox; 15 }; 16 17in 18 19{ 20 options.virtualisation.virtualbox.host = { 21 enable = mkEnableOption (lib.mdDoc "VirtualBox") // { 22 description = lib.mdDoc '' 23 Whether to enable VirtualBox. 24 25 ::: {.note} 26 In order to pass USB devices from the host to the guests, the user 27 needs to be in the `vboxusers` group. 28 ::: 29 ''; 30 }; 31 32 enableExtensionPack = mkEnableOption (lib.mdDoc "VirtualBox extension pack") // { 33 description = lib.mdDoc '' 34 Whether to install the Oracle Extension Pack for VirtualBox. 35 36 ::: {.important} 37 You must set `nixpkgs.config.allowUnfree = true` in 38 order to use this. This requires you accept the VirtualBox PUEL. 39 ::: 40 ''; 41 }; 42 43 package = mkOption { 44 type = types.package; 45 default = pkgs.virtualbox; 46 defaultText = literalExpression "pkgs.virtualbox"; 47 description = lib.mdDoc '' 48 Which VirtualBox package to use. 49 ''; 50 }; 51 52 addNetworkInterface = mkOption { 53 type = types.bool; 54 default = true; 55 description = lib.mdDoc '' 56 Automatically set up a vboxnet0 host-only network interface. 57 ''; 58 }; 59 60 enableHardening = mkOption { 61 type = types.bool; 62 default = true; 63 description = lib.mdDoc '' 64 Enable hardened VirtualBox, which ensures that only the binaries in the 65 system path get access to the devices exposed by the kernel modules 66 instead of all users in the vboxusers group. 67 68 ::: {.important} 69 Disabling this can put your system's security at risk, as local users 70 in the vboxusers group can tamper with the VirtualBox device files. 71 ::: 72 ''; 73 }; 74 75 headless = mkOption { 76 type = types.bool; 77 default = false; 78 description = lib.mdDoc '' 79 Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers 80 and when virtual machines are controlled only via SSH. 81 ''; 82 }; 83 84 enableWebService = mkOption { 85 type = types.bool; 86 default = false; 87 description = lib.mdDoc '' 88 Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers. 89 ''; 90 }; 91 }; 92 93 config = mkIf cfg.enable (mkMerge [{ 94 warnings = mkIf (config.nixpkgs.config.virtualbox.enableExtensionPack or false) 95 ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"]; 96 boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; 97 boot.extraModulePackages = [ kernelModules ]; 98 environment.systemPackages = [ virtualbox ]; 99 100 security.wrappers = let 101 mkSuid = program: { 102 source = "${virtualbox}/libexec/virtualbox/${program}"; 103 owner = "root"; 104 group = "vboxusers"; 105 setuid = true; 106 }; 107 executables = [ 108 "VBoxHeadless" 109 "VBoxNetAdpCtl" 110 "VBoxNetDHCP" 111 "VBoxNetNAT" 112 "VBoxVolInfo" 113 ] ++ (lib.optionals (!cfg.headless) [ 114 "VBoxSDL" 115 "VirtualBoxVM" 116 ]); 117 in mkIf cfg.enableHardening 118 (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) executables)); 119 120 users.groups.vboxusers.gid = config.ids.gids.vboxusers; 121 122 services.udev.extraRules = 123 '' 124 KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 125 KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" 126 KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 127 SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 128 SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 129 SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 130 SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 131 ''; 132 133 # Since we lack the right setuid/setcap binaries, set up a host-only network by default. 134 } (mkIf cfg.addNetworkInterface { 135 systemd.services.vboxnet0 = 136 { description = "VirtualBox vboxnet0 Interface"; 137 requires = [ "dev-vboxnetctl.device" ]; 138 after = [ "dev-vboxnetctl.device" ]; 139 wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; 140 path = [ virtualbox ]; 141 serviceConfig.RemainAfterExit = true; 142 serviceConfig.Type = "oneshot"; 143 serviceConfig.PrivateTmp = true; 144 environment.VBOX_USER_HOME = "/tmp"; 145 script = 146 '' 147 if ! [ -e /sys/class/net/vboxnet0 ]; then 148 VBoxManage hostonlyif create 149 cat /tmp/VBoxSVC.log >&2 150 fi 151 ''; 152 postStop = 153 '' 154 VBoxManage hostonlyif remove vboxnet0 155 ''; 156 }; 157 158 networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }]; 159 # Make sure NetworkManager won't assume this interface being up 160 # means we have internet access. 161 networking.networkmanager.unmanaged = ["vboxnet0"]; 162 }) (mkIf config.networking.useNetworkd { 163 systemd.network.networks."40-vboxnet0".extraConfig = '' 164 [Link] 165 RequiredForOnline=no 166 ''; 167 }) 168 169]); 170}