dsg/vmsilo
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add vmsilo-wayland-seccontext systemd service per GPU VM

Browse source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Davíð Steinn Geirsson 2026-03-18 16:31:45 +00:00
parent 249a2622bb
commit f32e79e314
1 changed files with 37 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

37
modules/services.nix
View file

@ -349,6 +349,43 @@ in
};
}
) vms
++
# wayland-seccontext services (one per GPU VM — runs as user, before GPU service)
lib.concatMap (
vm:
lib.optional (vm.gpu != false) (
lib.nameValuePair "vmsilo-${vm.name}-wayland-seccontext" {
description = "Wayland security context for VM ${vm.name}";
before = [ "vmsilo-${vm.name}-gpu.service" ];
requiredBy = [ "vmsilo-${vm.name}-gpu.service" ];
bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
serviceConfig = {
Type = "simple";
ExecStartPre = [
# Remove stale socket from previous run
"-${pkgs.coreutils}/bin/rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket"
];
ExecStart = pkgs.writeShellScript "vmsilo-wayland-seccontext-${vm.name}" ''
exec ${cfg._internal.vmsilo-wayland-seccontext}/bin/vmsilo-wayland-seccontext \
--wayland-socket /run/user/${toString userUid}/wayland-0 \
--app-id "vmsilo:${vm.name}:${vm.color}" \
--socket-path /run/vmsilo/${vm.name}/wayland-seccontext.socket
'';
ExecStopPost = pkgs.writeShellScript "cleanup-wayland-seccontext-${vm.name}" ''
rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket
'';
User = cfg.user;
Environment = [
"XDG_RUNTIME_DIR=/run/user/${toString userUid}"
"RUST_LOG=info"
];
Restart = "on-failure";
RestartSec = "1s";
};
}
)
) (lib.attrValues cfg.nixosVms)
++ [
# USB attach/detach oneshot template services (invoked by vmsilo-usb CLI)
(lib.nameValuePair "vmsilo-usb-attach@" {