clan-munix/nixosModules/default.nix

{
  self,
  virtwl,
  sidebus,
}:
{
  pkgs,
  lib,
  utils,
  config,
  ...
}:
let
  useTTY = {
    TTYPath = "/dev/hvc0";
    StandardOutput = "tty";
    StandardInput = "tty";
    StandardError = "tty";
  };
  runtimeDir = "/run/vm-user";
  system = pkgs.stdenv.hostPlatform.system;
in
{
  options.virtualisation.munix.defaultCommand = lib.mkOption {
    type = lib.types.str;
    default = "bash";
    description = "Default command to run when starting the VM without arguments.";
  };

  config = {
    boot.isContainer = true;
    fileSystems."/".device = lib.mkDefault "/dev/sda"; # dummy

    # Disable unused things
    environment.defaultPackages = lib.mkDefault [ ];
    documentation = {
      enable = lib.mkDefault false;
      doc.enable = lib.mkDefault false;
      info.enable = lib.mkDefault false;
      man.enable = lib.mkDefault false;
      nixos.enable = lib.mkDefault false;
    };
    services.logrotate.enable = false;
    services.udisks2.enable = false;
    system.tools.nixos-generate-config.enable = false;
    system.activationScripts.specialfs = lib.mkForce "";
    systemd.coredump.enable = false;
    networking.firewall.enable = false;
    powerManagement.enable = false;
    boot.kexec.enable = false;
    console.enable = false;

    # Configure activation / systemd
    boot.initrd.systemd.enable = true; # for etc.overlay, but we don't have initrd
    system.etc.overlay.enable = true; # erofs
    system.etc.overlay.mutable = false;
    system.switch.enable = false;
    services.udev.enable = lib.mkDefault true;
    services.udev.packages = lib.mkDefault [ ];
    services.resolved.enable = false;
    environment.etc."resolv.conf".source = "/run/resolv.conf";
    environment.etc."machine-id".source = "/run/machine-id";
    environment.etc."systemd/system".source = lib.mkForce (
      utils.systemdUtils.lib.generateUnits {
        type = "system";
        units = config.systemd.units;
        upstreamUnits = [
          "sysinit.target"
          "local-fs.target"
          "nss-user-lookup.target"
          "umount.target"
          "sockets.target"
          "shutdown.target"
          "reboot.target"
          "exit.target"
          "final.target"
          "systemd-exit.service"
          "systemd-journald.socket"
          "systemd-journald-audit.socket"
          "systemd-journald-dev-log.socket"
          "systemd-journald.service"
          "systemd-udevd-kernel.socket"
          "systemd-udevd-control.socket"
          "user.slice"
        ];
        upstreamWants = [ "multi-user.target.wants" ];
      }
    );

    # systemd.package = pkgs.systemdMinimal; # no analyze
    systemd.defaultUnit = "microvm.target";
    systemd.targets.microvm = {
      description = "Minimal microVM system";
      wants = [
        "systemd-journald.socket"
        "systemd-udevd.service"
        "dbus.socket"
      ];
      unitConfig.AllowIsolate = "yes";
    };
    systemd.services.generate-shutdown-ramfs.enable = lib.mkForce false;
    systemd.services.systemd-remount-fs.enable = lib.mkForce false;
    systemd.services.systemd-pstore.enable = lib.mkForce false;
    systemd.services.lastlog2-import.enable = lib.mkForce false;
    systemd.services.suid-sgid-wrappers.enable = lib.mkForce false;
    systemd.services.systemd-udevd = {
      # Redefine to remove the Before deps and get out of the critical chain
      enable = true;
      description = "Rule-based Manager for Device Events and Files";
      unitConfig.DefaultDependencies = "no";
      serviceConfig = {
        CapabilityBoundingSet = "~CAP_SYS_TIME CAP_WAKE_ALARM";
        Delegate = "";
        DelegateSubgroup = "udev";
        Type = "notify-reload";
        OOMScoreAdjust = "-1000";
        Sockets = "systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-varlink.socket";
        Restart = "always";
        RestartSec = "0";
        ExecStart = "${pkgs.systemd}/lib/systemd/systemd-udevd";
        FileDescriptorStoreMax = "512";
        FileDescriptorStorePreserve = "yes";
        KillMode = "mixed";
        TasksMax = "infinity";
        PrivateMounts = "yes";
        ProtectHostname = "yes";
        MemoryDenyWriteExecute = "yes";
        RestrictAddressFamilies = "AF_UNIX AF_NETLINK AF_INET AF_INET6";
        RestrictRealtime = "yes";
        RestrictSUIDSGID = "yes";
        SystemCallFilter = [
          "@system-service @module @raw-io bpf"
          "~@clock"
        ];
        SystemCallErrorNumber = "EPERM";
        SystemCallArchitectures = "native";
        LockPersonality = "yes";
        IPAddressDeny = "any";
        WatchdogSec = "3min";
      };
    };

    # Configure user accounts
    systemd.sysusers.enable = false;
    services.userborn.enable = true;
    services.userborn.static = true;
    users.mutableUsers = false;
    users.users.appvm = {
      uid = 1337;
      group = "appvm";
      isNormalUser = false;
      isSystemUser = true;
      home = "/home/appvm";
      description = "microVM User";
      shell = pkgs.bash; # not nologin, despite being a "system" user
      extraGroups = [
        "wheel"
        "video"
        "input"
        "systemd-journal"
      ];
    };
    users.groups.appvm.gid = 1337;
    users.allowNoPasswordLogin = true;

    # Configure services

    systemd.settings.Manager.DefaultEnvironment = "XDG_RUNTIME_DIR=${runtimeDir}";

    systemd.services.muvm-remote = {
      enable = true;
      description = "microVM Application runner";
      onFailure = [ "exit.target" ];
      onSuccess = [ "exit.target" ];
      wants = [ "sockets.target" ];
      after = [ "sockets.target" ];
      wantedBy = [ "microvm.target" ];
      serviceConfig = {
        Type = "exec";
        PassEnvironment = [
          "TERM"
          "MESA_LOADER_DRIVER_OVERRIDE"
          "MUVM_REMOTE_CONFIG"
        ]; # "KRUN_CONFIG"];
        Environment = [
          "WAYLAND_DISPLAY=wayland-1"
          "DBUS_SESSION_BUS_ADDRESS=unix:path=${runtimeDir}/dbus.sock"
          "PATH=/run/current-system/sw/bin"
        ];
        User = "appvm";
        Group = "appvm";
        ExecStartPre = "+/run/current-system/sw/bin/chown appvm:appvm ${runtimeDir}";
        ExecStart = "/opt/bin/muvm-remote";
        ExecStopPost = ''+${pkgs.python3}/bin/python -c "import os,fcntl,struct;print(os.getenv('EXIT_STATUS', '1'));fcntl.ioctl(os.open('/', os.O_RDONLY), 0x7602, int(os.getenv('EXIT_STATUS', '1')))"'';
      }
      // useTTY;
    };

    systemd.services.muvm-configure-network = {
      enable = true;
      description = "microVM Network configuration";
      wantedBy = [ "microvm.target" ];
      serviceConfig.Type = "oneshot";
      serviceConfig.ExecStart = "/opt/bin/muvm-configure-network";
    };

    systemd.sockets.muvm-pwbridge = {
      enable = true;
      description = "PipeWire cross-domain proxy socket";
      wantedBy = [ "microvm.target" ];
      partOf = [ "muvm-pwbridge.service" ];
      listenStreams = [ "${runtimeDir}/pipewire-0" ];
      socketConfig = {
        SocketUser = "appvm";
        SocketGroup = "appvm";
      };
    };
    systemd.services.muvm-pwbridge = {
      enable = true;
      description = "PipeWire cross-domain proxy";
      requires = [ "muvm-pwbridge.socket" ];
      serviceConfig.Type = "exec";
      serviceConfig.ExecStart = "/opt/bin/muvm-pwbridge";
    };

    systemd.sockets.wayland-proxy-virtwl = {
      enable = true;
      description = "Wayland cross-domain proxy socket";
      wantedBy = [ "microvm.target" ];
      partOf = [ "wayland-proxy-virtwl.service" ];
      listenStreams = [ "${runtimeDir}/wayland-1" ];
      socketConfig = {
        SocketUser = "appvm";
        SocketGroup = "appvm";
        FileDescriptorName = "wayland";
      };
    };
    systemd.services.wayland-proxy-virtwl = {
      enable = true;
      description = "Wayland cross-domain proxy";
      requires = [ "wayland-proxy-virtwl.socket" ];
      serviceConfig = {
        ExecStartPre = "+/run/current-system/sw/bin/chmod 0666 /dev/dri/card0 /dev/dri/renderD128";
        ExecStart = "${virtwl.packages.${system}.proxy}/bin/wayland-proxy-virtwl --virtio-gpu";
        User = "appvm";
        Group = "appvm";
      };
    };

    systemd.sockets.session-bus = {
      enable = true;
      description = "D-Bus session bus socket";
      wantedBy = [ "microvm.target" ];
      partOf = [ "session-bus.service" ];
      listenStreams = [ "${runtimeDir}/dbus.sock" ];
      socketConfig = {
        SocketUser = "appvm";
        SocketGroup = "appvm";
      };
    };
    systemd.services.session-bus = {
      enable = true;
      description = "D-Bus session bus";
      requires = [ "session-bus.socket" ];
      serviceConfig = {
        ExecStart = "${pkgs.dbus}/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --syslog-only"; # no systemd activation, we don't run a *session* systemd
        User = "appvm";
        Group = "appvm";
      };
    };
    systemd.services.sidebus-agent = {
      enable = true;
      description = "D-Bus session bus";
      wantedBy = ["microvm.target"];
      requires = ["session-bus.socket" "session-bus.service"];
      after = ["session-bus.service"];
      serviceConfig = {
        ImportCredential = "sidebus.port";
        Environment = ["DBUS_SESSION_BUS_ADDRESS=unix:path=${runtimeDir}/dbus.sock"];
        ExecStart = "${sidebus.packages.${system}.sidebus-agent}/bin/sidebus-agent";
        User = "appvm";
        Group = "appvm";
      };
    };

    hardware.graphics.enable = true;
    hardware.graphics.package = self.packages.${system}.mesa;

    system.build.munix = pkgs.symlinkJoin {
      name = "munix";
      paths = [ self.packages.${system}.munix ];
      buildInputs = [ pkgs.makeWrapper ];
      postBuild = ''
        wrapProgram $out/bin/munix \
          --add-flags ${config.system.build.toplevel} \
          --set MICROVM_DEFAULT_COMMAND ${lib.escapeShellArg config.virtualisation.munix.defaultCommand}
      '';
    };
  };
}
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`{`
			`self,`
			`virtwl,`
			`sidebus,`
			`}:`
			`{`
			`pkgs,`
			`lib,`
			`utils,`
			`config,`
			`...`
			`}:`
			`let`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00			`useTTY = {`
			`TTYPath = "/dev/hvc0";`
			`StandardOutput = "tty";`
			`StandardInput = "tty";`
			`StandardError = "tty";`
			`};`
			`runtimeDir = "/run/vm-user";`
nix: replace pkgs.system with pkgs.stdenv.hostPlatform.system evaluation warning: ‘system’ has been renamed to/replaced by ‘stdenv.hostPlatform.system’ 2025-12-04 07:24:51 -03:00			`system = pkgs.stdenv.hostPlatform.system;`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`in`
			`{`
			`options.virtualisation.munix.defaultCommand = lib.mkOption {`
			`type = lib.types.str;`
			`default = "bash";`
			`description = "Default command to run when starting the VM without arguments.";`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00			`};`

nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`config = {`
			`boot.isContainer = true;`
			`fileSystems."/".device = lib.mkDefault "/dev/sda"; # dummy`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`# Disable unused things`
			`environment.defaultPackages = lib.mkDefault [ ];`
			`documentation = {`
			`enable = lib.mkDefault false;`
			`doc.enable = lib.mkDefault false;`
			`info.enable = lib.mkDefault false;`
			`man.enable = lib.mkDefault false;`
			`nixos.enable = lib.mkDefault false;`
systemd: get udevd out of the critical chain We don't need to wait for it at all 2025-12-04 23:48:17 -03:00			`};`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`services.logrotate.enable = false;`
			`services.udisks2.enable = false;`
			`system.tools.nixos-generate-config.enable = false;`
			`system.activationScripts.specialfs = lib.mkForce "";`
			`systemd.coredump.enable = false;`
			`networking.firewall.enable = false;`
			`powerManagement.enable = false;`
			`boot.kexec.enable = false;`
			`console.enable = false;`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`# Configure activation / systemd`
			`boot.initrd.systemd.enable = true; # for etc.overlay, but we don't have initrd`
			`system.etc.overlay.enable = true; # erofs`
			`system.etc.overlay.mutable = false;`
			`system.switch.enable = false;`
			`services.udev.enable = lib.mkDefault true;`
			`services.udev.packages = lib.mkDefault [ ];`
			`services.resolved.enable = false;`
			`environment.etc."resolv.conf".source = "/run/resolv.conf";`
			`environment.etc."machine-id".source = "/run/machine-id";`
			`environment.etc."systemd/system".source = lib.mkForce (`
			`utils.systemdUtils.lib.generateUnits {`
			`type = "system";`
			`units = config.systemd.units;`
			`upstreamUnits = [`
			`"sysinit.target"`
			`"local-fs.target"`
			`"nss-user-lookup.target"`
			`"umount.target"`
			`"sockets.target"`
			`"shutdown.target"`
			`"reboot.target"`
			`"exit.target"`
			`"final.target"`
			`"systemd-exit.service"`
			`"systemd-journald.socket"`
			`"systemd-journald-audit.socket"`
			`"systemd-journald-dev-log.socket"`
			`"systemd-journald.service"`
			`"systemd-udevd-kernel.socket"`
			`"systemd-udevd-control.socket"`
			`"user.slice"`
			`];`
			`upstreamWants = [ "multi-user.target.wants" ];`
			`}`
			`);`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`# systemd.package = pkgs.systemdMinimal; # no analyze`
			`systemd.defaultUnit = "microvm.target";`
			`systemd.targets.microvm = {`
			`description = "Minimal microVM system";`
			`wants = [`
			`"systemd-journald.socket"`
			`"systemd-udevd.service"`
			`"dbus.socket"`
Add sidebus integration 2025-11-14 06:20:44 -03:00			`];`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`unitConfig.AllowIsolate = "yes";`
			`};`
			`systemd.services.generate-shutdown-ramfs.enable = lib.mkForce false;`
			`systemd.services.systemd-remount-fs.enable = lib.mkForce false;`
			`systemd.services.systemd-pstore.enable = lib.mkForce false;`
			`systemd.services.lastlog2-import.enable = lib.mkForce false;`
			`systemd.services.suid-sgid-wrappers.enable = lib.mkForce false;`
			`systemd.services.systemd-udevd = {`
			`# Redefine to remove the Before deps and get out of the critical chain`
			`enable = true;`
			`description = "Rule-based Manager for Device Events and Files";`
			`unitConfig.DefaultDependencies = "no";`
			`serviceConfig = {`
			`CapabilityBoundingSet = "~CAP_SYS_TIME CAP_WAKE_ALARM";`
			`Delegate = "";`
			`DelegateSubgroup = "udev";`
			`Type = "notify-reload";`
			`OOMScoreAdjust = "-1000";`
			`Sockets = "systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-varlink.socket";`
			`Restart = "always";`
			`RestartSec = "0";`
			`ExecStart = "${pkgs.systemd}/lib/systemd/systemd-udevd";`
			`FileDescriptorStoreMax = "512";`
			`FileDescriptorStorePreserve = "yes";`
			`KillMode = "mixed";`
			`TasksMax = "infinity";`
			`PrivateMounts = "yes";`
			`ProtectHostname = "yes";`
			`MemoryDenyWriteExecute = "yes";`
			`RestrictAddressFamilies = "AF_UNIX AF_NETLINK AF_INET AF_INET6";`
			`RestrictRealtime = "yes";`
			`RestrictSUIDSGID = "yes";`
			`SystemCallFilter = [`
			`"@system-service @module @raw-io bpf"`
			`"~@clock"`
			`];`
			`SystemCallErrorNumber = "EPERM";`
			`SystemCallArchitectures = "native";`
			`LockPersonality = "yes";`
			`IPAddressDeny = "any";`
			`WatchdogSec = "3min";`
			`};`
			`};`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`# Configure user accounts`
			`systemd.sysusers.enable = false;`
			`services.userborn.enable = true;`
nix: use static userborn as it's upstream now 2026-01-29 23:26:36 -03:00			`services.userborn.static = true;`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`users.mutableUsers = false;`
			`users.users.appvm = {`
			`uid = 1337;`
			`group = "appvm";`
			`isNormalUser = false;`
			`isSystemUser = true;`
			`home = "/home/appvm";`
			`description = "microVM User";`
nixos: set shell for appvm user Surprisingly, gdb of all things uses the login shell from /etc/passwd to launch the program under test, so I was seeing the "This account is currently not available" message there. 2025-12-18 04:29:53 -03:00			`shell = pkgs.bash; # not nologin, despite being a "system" user`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`extraGroups = [`
			`"wheel"`
			`"video"`
			`"input"`
			`"systemd-journal"`
			`];`
			`};`
			`users.groups.appvm.gid = 1337;`
			`users.allowNoPasswordLogin = true;`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00			`# Configure services`

			`systemd.settings.Manager.DefaultEnvironment = "XDG_RUNTIME_DIR=${runtimeDir}";`

			`systemd.services.muvm-remote = {`
			`enable = true;`
			`description = "microVM Application runner";`
			`onFailure = [ "exit.target" ];`
			`onSuccess = [ "exit.target" ];`
			`wants = [ "sockets.target" ];`
			`after = [ "sockets.target" ];`
			`wantedBy = [ "microvm.target" ];`
			`serviceConfig = {`
			`Type = "exec";`
			`PassEnvironment = [`
			`"TERM"`
			`"MESA_LOADER_DRIVER_OVERRIDE"`
			`"MUVM_REMOTE_CONFIG"`
			`]; # "KRUN_CONFIG"];`
			`Environment = [`
			`"WAYLAND_DISPLAY=wayland-1"`
			`"DBUS_SESSION_BUS_ADDRESS=unix:path=${runtimeDir}/dbus.sock"`
			`"PATH=/run/current-system/sw/bin"`
			`];`
			`User = "appvm";`
			`Group = "appvm";`
			`ExecStartPre = "+/run/current-system/sw/bin/chown appvm:appvm ${runtimeDir}";`
			`ExecStart = "/opt/bin/muvm-remote";`
			`ExecStopPost = ''+${pkgs.python3}/bin/python -c "import os,fcntl,struct;print(os.getenv('EXIT_STATUS', '1'));fcntl.ioctl(os.open('/', os.O_RDONLY), 0x7602, int(os.getenv('EXIT_STATUS', '1')))"'';`
			`}`
			`// useTTY;`
			`};`

			`systemd.services.muvm-configure-network = {`
			`enable = true;`
			`description = "microVM Network configuration";`
			`wantedBy = [ "microvm.target" ];`
			`serviceConfig.Type = "oneshot";`
			`serviceConfig.ExecStart = "/opt/bin/muvm-configure-network";`
			`};`

			`systemd.sockets.muvm-pwbridge = {`
			`enable = true;`
			`description = "PipeWire cross-domain proxy socket";`
			`wantedBy = [ "microvm.target" ];`
			`partOf = [ "muvm-pwbridge.service" ];`
			`listenStreams = [ "${runtimeDir}/pipewire-0" ];`
			`socketConfig = {`
			`SocketUser = "appvm";`
			`SocketGroup = "appvm";`
			`};`
			`};`
			`systemd.services.muvm-pwbridge = {`
			`enable = true;`
			`description = "PipeWire cross-domain proxy";`
			`requires = [ "muvm-pwbridge.socket" ];`
			`serviceConfig.Type = "exec";`
			`serviceConfig.ExecStart = "/opt/bin/muvm-pwbridge";`
			`};`

			`systemd.sockets.wayland-proxy-virtwl = {`
			`enable = true;`
			`description = "Wayland cross-domain proxy socket";`
			`wantedBy = [ "microvm.target" ];`
			`partOf = [ "wayland-proxy-virtwl.service" ];`
			`listenStreams = [ "${runtimeDir}/wayland-1" ];`
			`socketConfig = {`
			`SocketUser = "appvm";`
			`SocketGroup = "appvm";`
			`FileDescriptorName = "wayland";`
			`};`
			`};`
			`systemd.services.wayland-proxy-virtwl = {`
			`enable = true;`
			`description = "Wayland cross-domain proxy";`
			`requires = [ "wayland-proxy-virtwl.socket" ];`
			`serviceConfig = {`
			`ExecStartPre = "+/run/current-system/sw/bin/chmod 0666 /dev/dri/card0 /dev/dri/renderD128";`
			`ExecStart = "${virtwl.packages.${system}.proxy}/bin/wayland-proxy-virtwl --virtio-gpu";`
			`User = "appvm";`
			`Group = "appvm";`
			`};`
			`};`

			`systemd.sockets.session-bus = {`
			`enable = true;`
			`description = "D-Bus session bus socket";`
			`wantedBy = [ "microvm.target" ];`
			`partOf = [ "session-bus.service" ];`
			`listenStreams = [ "${runtimeDir}/dbus.sock" ];`
			`socketConfig = {`
			`SocketUser = "appvm";`
			`SocketGroup = "appvm";`
			`};`
			`};`
			`systemd.services.session-bus = {`
			`enable = true;`
			`description = "D-Bus session bus";`
			`requires = [ "session-bus.socket" ];`
			`serviceConfig = {`
			`ExecStart = "${pkgs.dbus}/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --syslog-only"; # no systemd activation, we don't run a session systemd`
			`User = "appvm";`
			`Group = "appvm";`
			`};`
			`};`
Start sidebus-agent strictly before the apps Gtk uses G_DBUS_CALL_FLAGS_NO_AUTO_START in all the (early) portal calls so we basically get a version of https://gitlab.gnome.org/GNOME/gtk/-/issues/7379 if we try to lazily start the agent.. 2025-12-12 05:10:52 -03:00			`systemd.services.sidebus-agent = {`
			`enable = true;`
			`description = "D-Bus session bus";`
			`wantedBy = ["microvm.target"];`
			`requires = ["session-bus.socket" "session-bus.service"];`
			`after = ["session-bus.service"];`
			`serviceConfig = {`
			`ImportCredential = "sidebus.port";`
			`Environment = ["DBUS_SESSION_BUS_ADDRESS=unix:path=${runtimeDir}/dbus.sock"];`
			`ExecStart = "${sidebus.packages.${system}.sidebus-agent}/bin/sidebus-agent";`
			`User = "appvm";`
			`Group = "appvm";`
			`};`
			`};`
nixos: add munix.defaultCommand option and system.build.munix Add a NixOS option to configure the default command for the VM and provide a system.build.munix output that wraps munix with the correct toplevel and default command. This reduces boilerplate in downstream flakes since they no longer need to manually wrap munix. The template now uses these new features, significantly simplifying the apps definition. 2025-12-15 16:20:04 +01:00
			`hardware.graphics.enable = true;`
			`hardware.graphics.package = self.packages.${system}.mesa;`

			`system.build.munix = pkgs.symlinkJoin {`
			`name = "munix";`
			`paths = [ self.packages.${system}.munix ];`
			`buildInputs = [ pkgs.makeWrapper ];`
			`postBuild = ''`
			`wrapProgram $out/bin/munix \`
			`--add-flags ${config.system.build.toplevel} \`
			`--set MICROVM_DEFAULT_COMMAND ${lib.escapeShellArg config.virtualisation.munix.defaultCommand}`
			`'';`
flake.nix: extract packages/devshells/modules into smaller files 2025-11-03 17:14:28 +01:00			`};`
			`};`
			`}`