| blob | 9741ea090f7974a0d1d60df66ebd10346c8ba679 |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.virtualisation.virtualbox.host;
8 virtualbox = cfg.package.override {
9 inherit (cfg) enableHardening headless enableWebService;
10 extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null;
11 };
13 kernelModules = config.boot.kernelPackages.virtualbox.override {
14 inherit virtualbox;
15 };
17 in
19 {
20 options.virtualisation.virtualbox.host = {
21 enable = mkEnableOption (lib.mdDoc "VirtualBox") // {
22 description = lib.mdDoc ''
23 Whether to enable VirtualBox.
25 ::: {.note}
26 In order to pass USB devices from the host to the guests, the user
27 needs to be in the `vboxusers` group.
28 :::
29 '';
30 };
32 enableExtensionPack = mkEnableOption (lib.mdDoc "VirtualBox extension pack") // {
33 description = lib.mdDoc ''
34 Whether to install the Oracle Extension Pack for VirtualBox.
36 ::: {.important}
37 You must set `nixpkgs.config.allowUnfree = true` in
38 order to use this. This requires you accept the VirtualBox PUEL.
39 :::
40 '';
41 };
43 package = mkOption {
44 type = types.package;
45 default = pkgs.virtualbox;
46 defaultText = literalExpression "pkgs.virtualbox";
47 description = lib.mdDoc ''
48 Which VirtualBox package to use.
49 '';
50 };
52 addNetworkInterface = mkOption {
53 type = types.bool;
54 default = true;
55 description = lib.mdDoc ''
56 Automatically set up a vboxnet0 host-only network interface.
57 '';
58 };
60 enableHardening = mkOption {
61 type = types.bool;
62 default = true;
63 description = lib.mdDoc ''
64 Enable hardened VirtualBox, which ensures that only the binaries in the
65 system path get access to the devices exposed by the kernel modules
66 instead of all users in the vboxusers group.
68 ::: {.important}
69 Disabling this can put your system's security at risk, as local users
70 in the vboxusers group can tamper with the VirtualBox device files.
71 :::
72 '';
73 };
75 headless = mkOption {
76 type = types.bool;
77 default = false;
78 description = lib.mdDoc ''
79 Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
80 and when virtual machines are controlled only via SSH.
81 '';
82 };
84 enableWebService = mkOption {
85 type = types.bool;
86 default = false;
87 description = lib.mdDoc ''
88 Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers.
89 '';
90 };
91 };
93 config = mkIf cfg.enable (mkMerge [{
94 warnings = mkIf (pkgs.config.virtualbox.enableExtensionPack or false)
95 ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"];
96 boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
97 boot.extraModulePackages = [ kernelModules ];
98 environment.systemPackages = [ virtualbox ];
100 security.wrappers = let
101 mkSuid = program: {
102 source = "${virtualbox}/libexec/virtualbox/${program}";
103 owner = "root";
104 group = "vboxusers";
105 setuid = true;
106 };
107 executables = [
108 "VBoxHeadless"
109 "VBoxNetAdpCtl"
110 "VBoxNetDHCP"
111 "VBoxNetNAT"
112 "VBoxVolInfo"
113 ] ++ (lib.optionals (!cfg.headless) [
114 "VBoxSDL"
115 "VirtualBoxVM"
116 ]);
117 in mkIf cfg.enableHardening
118 (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) executables));
120 users.groups.vboxusers.gid = config.ids.gids.vboxusers;
122 services.udev.extraRules =
123 ''
124 KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
125 KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
126 KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
127 SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
128 SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
129 SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
130 SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
131 '';
133 # Since we lack the right setuid/setcap binaries, set up a host-only network by default.
134 } (mkIf cfg.addNetworkInterface {
135 systemd.services.vboxnet0 =
136 { description = "VirtualBox vboxnet0 Interface";
137 requires = [ "dev-vboxnetctl.device" ];
138 after = [ "dev-vboxnetctl.device" ];
139 wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
140 path = [ virtualbox ];
141 serviceConfig.RemainAfterExit = true;
142 serviceConfig.Type = "oneshot";
143 serviceConfig.PrivateTmp = true;
144 environment.VBOX_USER_HOME = "/tmp";
145 script =
146 ''
147 if ! [ -e /sys/class/net/vboxnet0 ]; then
148 VBoxManage hostonlyif create
149 cat /tmp/VBoxSVC.log >&2
150 fi
151 '';
152 postStop =
153 ''
154 VBoxManage hostonlyif remove vboxnet0
155 '';
156 };
158 networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }];
159 # Make sure NetworkManager won't assume this interface being up
160 # means we have internet access.
161 networking.networkmanager.unmanaged = ["vboxnet0"];
162 }) (mkIf config.networking.useNetworkd {
163 systemd.network.networks."40-vboxnet0".extraConfig = ''
164 [Link]
165 RequiredForOnline=no
166 '';
167 })
169 ]);
170 }