pyrox.dev
1{ config, pkgs, lib, ... }:
2{
3 options.virtualisation.spiceUSBRedirection.enable = lib.mkOption {
4 type = lib.types.bool;
5 default = false;
6 description = ''
7 Install the SPICE USB redirection helper with setuid
8 privileges. This allows unprivileged users to pass USB devices
9 connected to this machine to libvirt VMs, both local and
10 remote. Note that this allows users arbitrary access to USB
11 devices.
12 '';
13 };
14
15 config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
16 environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
17 security.wrappers.spice-client-glib-usb-acl-helper = {
18 owner = "root";
19 group = "root";
20 capabilities = "cap_fowner+ep";
21 source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
22 };
23 };
24
25 meta.maintainers = [ lib.maintainers.lheckemann ];
26}