dsg/vmsilo
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: create /run/vmsilo runtime dirs in ExecStartPre

Browse source 
Ensure each service unit creates its own runtime directory before
starting, as a safety net independent of tmpfiles. GPU and sound
services use install -d with correct user ownership so they can
create their sockets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Davíð Steinn Geirsson 2026-03-18 17:57:29 +00:00
parent e058e701d2
commit 6657f943fc
1 changed files with 37 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

38
modules/services.nix
View file

@ -231,6 +231,35 @@ in
# Systemd system services for VMs (run as root for PCI passthrough and sandboxing)
systemd.services = lib.listToAttrs (
# Prep services (create runtime directories for each VM)
map (
vm:
lib.nameValuePair "vmsilo-${vm.name}-prep" {
description = "Create runtime directories for VM ${vm.name}";
before = [
"vmsilo-${vm.name}.socket"
"vmsilo-${vm.name}-vm.service"
];
requiredBy = [
"vmsilo-${vm.name}.socket"
"vmsilo-${vm.name}-vm.service"
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "vmsilo-prep-${vm.name}" ''
${pkgs.coreutils}/bin/install -d -m 0755 -o ${toString userUid} -g ${toString userGid} \
/run/vmsilo/${vm.name} \
/run/vmsilo/${vm.name}/gpu \
/run/vmsilo/${vm.name}/sound
${pkgs.coreutils}/bin/install -d -m 0755 \
/run/vmsilo/${vm.name}/virtiofs
'';
};
}
) (lib.attrValues cfg.nixosVms)
++
# VM services (run crosvm as root)
map (
vm:
@ -301,6 +330,7 @@ in
vm:
lib.nameValuePair "vmsilo-${vm.name}-console-relay" {
description = "Console relay for VM ${vm.name}";
after = [ "vmsilo-${vm.name}-prep.service" ];
before = [ "vmsilo-${vm.name}-vm.service" ];
requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@ -368,6 +398,7 @@ in
tag: dirConfig:
lib.nameValuePair "vmsilo-${vm.name}-virtiofsd-${tag}" {
description = "virtiofsd ${tag} for VM ${vm.name}";
after = [ "vmsilo-${vm.name}-prep.service" ];
before = [ "vmsilo-${vm.name}-vm.service" ];
requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@ -402,6 +433,7 @@ in
lib.optional soundEnabled (
lib.nameValuePair "vmsilo-${vm.name}-sound" {
description = "vhost-device-sound for VM ${vm.name}";
after = [ "vmsilo-${vm.name}-prep.service" ];
before = [ "vmsilo-${vm.name}-vm.service" ];
requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@ -477,6 +509,7 @@ in
lib.optional (vm.gpu != false) (
lib.nameValuePair "vmsilo-${vm.name}-wayland-seccontext" {
description = "Wayland security context for VM ${vm.name}";
after = [ "vmsilo-${vm.name}-prep.service" ];
before = [ "vmsilo-${vm.name}-gpu.service" ];
requiredBy = [ "vmsilo-${vm.name}-gpu.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@ -528,7 +561,10 @@ in
lib.optional (gpuConfig != null) (
lib.nameValuePair "vmsilo-${vm.name}-gpu" {
description = "GPU device backend for VM ${vm.name}";
after = [ "vmsilo-${vm.name}-wayland-seccontext.service" ];
after = [
"vmsilo-${vm.name}-prep.service"
"vmsilo-${vm.name}-wayland-seccontext.service"
];
before = [ "vmsilo-${vm.name}-vm.service" ];
requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];