diff --git a/modules/services.nix b/modules/services.nix index ef2a35f..1ef00d9 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -349,6 +349,43 @@ in }; } ) vms + ++ + # wayland-seccontext services (one per GPU VM — runs as user, before GPU service) + lib.concatMap ( + vm: + lib.optional (vm.gpu != false) ( + lib.nameValuePair "vmsilo-${vm.name}-wayland-seccontext" { + description = "Wayland security context for VM ${vm.name}"; + before = [ "vmsilo-${vm.name}-gpu.service" ]; + requiredBy = [ "vmsilo-${vm.name}-gpu.service" ]; + bindsTo = [ "vmsilo-${vm.name}-vm.service" ]; + + serviceConfig = { + Type = "simple"; + ExecStartPre = [ + # Remove stale socket from previous run + "-${pkgs.coreutils}/bin/rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket" + ]; + ExecStart = pkgs.writeShellScript "vmsilo-wayland-seccontext-${vm.name}" '' + exec ${cfg._internal.vmsilo-wayland-seccontext}/bin/vmsilo-wayland-seccontext \ + --wayland-socket /run/user/${toString userUid}/wayland-0 \ + --app-id "vmsilo:${vm.name}:${vm.color}" \ + --socket-path /run/vmsilo/${vm.name}/wayland-seccontext.socket + ''; + ExecStopPost = pkgs.writeShellScript "cleanup-wayland-seccontext-${vm.name}" '' + rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket + ''; + User = cfg.user; + Environment = [ + "XDG_RUNTIME_DIR=/run/user/${toString userUid}" + "RUST_LOG=info" + ]; + Restart = "on-failure"; + RestartSec = "1s"; + }; + } + ) + ) (lib.attrValues cfg.nixosVms) ++ [ # USB attach/detach oneshot template services (invoked by vmsilo-usb CLI) (lib.nameValuePair "vmsilo-usb-attach@" {