From e4326c77dfa20b25c6124c19ac7d3dfc673ff2e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dav=C3=AD=C3=B0=20Steinn=20Geirsson?= <david@dsg.is>
Date: Wed, 18 Mar 2026 16:21:42 +0000
Subject: [PATCH] feat: add cloud-hypervisor and vmsilo-wayland-seccontext to
 flake.nix

Add buildVmsiloWaylandSeccontext build function and expose vmsilo-wayland-seccontext
and cloud-hypervisor (from nixpkgs) as package outputs. Inject both into
_internal module options. Remove nvidiaWeakenSandbox-conditional crosvm selection.

Note: git.dsg.is/dsg/cloud-hypervisor.git has no flake.nix, so cloud-hypervisor
is sourced from nixpkgs instead of a dedicated flake input.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 flake.nix | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/flake.nix b/flake.nix
index 1a3d74e..be38b62 100644
--- a/flake.nix
+++ b/flake.nix
@@ -79,6 +79,23 @@
           };
         };
 
+      # Build vmsilo-wayland-seccontext Rust binary
+      buildVmsiloWaylandSeccontext =
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        pkgs.rustPlatform.buildRustPackage {
+          pname = "vmsilo-wayland-seccontext";
+          version = "0.1.0";
+          src = ./vmsilo-wayland-seccontext;
+          cargoLock = {
+            lockFile = ./vmsilo-wayland-seccontext/Cargo.lock;
+          };
+          nativeBuildInputs = with pkgs; [ pkg-config ];
+          buildInputs = with pkgs; [ wayland ];
+        };
+
       # treefmt configuration
       treefmtConfig = {
         projectRootFile = "flake.nix";
@@ -96,6 +113,8 @@
         rootfs-nixos = makeRootfsNixos system { };
         vmsilo-balloond = buildVmsiloBalloond system;
         vmsilo-dbus-proxy = buildVmsiloDbusProxy system;
+        vmsilo-wayland-seccontext = buildVmsiloWaylandSeccontext system;
+        "cloud-hypervisor" = nixpkgs.legacyPackages.${system}.cloud-hypervisor;
         decoration-tests =
           let
             pkgs = nixpkgs.legacyPackages.${system};
@@ -180,11 +199,9 @@
           # Inject dependencies when module is enabled
           config = lib.mkIf config.programs.vmsilo.enable {
             programs.vmsilo._internal = {
-              crosvm =
-                if config.programs.vmsilo.nvidiaWeakenSandbox then
-                  crosvm.packages.${pkgs.stdenv.hostPlatform.system}.crosvm-nvidia
-                else
-                  crosvm.packages.${pkgs.stdenv.hostPlatform.system}.default;
+              crosvm = crosvm.packages.${pkgs.stdenv.hostPlatform.system}.default;
+              "cloud-hypervisor" = pkgs.cloud-hypervisor;
+              vmsilo-wayland-seccontext = buildVmsiloWaylandSeccontext pkgs.stdenv.hostPlatform.system;
               wayland-proxy-virtwl = wayland-proxy-virtwl.packages.${pkgs.stdenv.hostPlatform.system}.default;
               sommelier = pkgs.callPackage ./packages/sommelier.nix { };
               vhost-device-sound = vhost-device.packages.${pkgs.stdenv.hostPlatform.system}.vhost-device-sound;