crosvm/flake.nix

{
  description = "Hacky crosvm fork for qubes-lite";

  inputs = {
    #nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    self.submodules = true;
  };

  outputs =
    { self, nixpkgs }:
    let
      pkgs = nixpkgs.legacyPackages.x86_64-linux;
    in
    {

      packages.x86_64-linux.crosvm = pkgs.callPackage (import ./default.nix) { };

      # Variant with relaxed seccomp policy for NVIDIA's proprietary driver.
      # Allows PROT_READ|PROT_WRITE|PROT_EXEC mprotect in the GPU render server,
      # which NVIDIA's JIT shader compiler requires.
      packages.x86_64-linux.crosvm-nvidia = self.packages.x86_64-linux.crosvm.overrideAttrs (old: {
        postPatch = (old.postPatch or "") + ''
          echo '# NVIDIA proprietary driver requires RWX for JIT shader compilation' \
            >> jail/seccomp/x86_64/gpu_render_server.policy
          echo 'mprotect: arg2 == PROT_READ|PROT_WRITE|PROT_EXEC' \
            >> jail/seccomp/x86_64/gpu_render_server.policy
        '';
      });

      packages.x86_64-linux.default = self.packages.x86_64-linux.crosvm;

      devShells.x86_64-linux.default = pkgs.mkShell {
        # Disable fortify hardening - it requires -O1 or higher but cargo debug builds use -O0
        hardeningDisable = [ "fortify" ];

        nativeBuildInputs = with pkgs; [
          # Rust toolchain
          cargo
          rustc
          rust-analyzer
          clippy
          rustfmt

          # Build tools
          pkg-config
          protobuf
          python3
          rustPlatform.bindgenHook
          wayland-scanner
        ];

        buildInputs = with pkgs; [
          libcap
          libdrm
          libepoxy
          minijail
          virglrenderer
          wayland
          wayland-protocols
        ];

        CROSVM_USE_SYSTEM_MINIGBM = "true";
        CROSVM_USE_SYSTEM_VIRGLRENDERER = "true";
      };

    };
}