From f32e79e3146d4be4aa2ddd1bf919e8456cd33ddd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dav=C3=AD=C3=B0=20Steinn=20Geirsson?= <david@dsg.is>
Date: Wed, 18 Mar 2026 16:31:45 +0000
Subject: [PATCH] feat: add vmsilo-wayland-seccontext systemd service per GPU
 VM

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 modules/services.nix | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/modules/services.nix b/modules/services.nix
index ef2a35f..1ef00d9 100644
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -349,6 +349,43 @@ in
               };
           }
         ) vms
+      ++
+        # wayland-seccontext services (one per GPU VM — runs as user, before GPU service)
+        lib.concatMap (
+          vm:
+          lib.optional (vm.gpu != false) (
+            lib.nameValuePair "vmsilo-${vm.name}-wayland-seccontext" {
+              description = "Wayland security context for VM ${vm.name}";
+              before = [ "vmsilo-${vm.name}-gpu.service" ];
+              requiredBy = [ "vmsilo-${vm.name}-gpu.service" ];
+              bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
+
+              serviceConfig = {
+                Type = "simple";
+                ExecStartPre = [
+                  # Remove stale socket from previous run
+                  "-${pkgs.coreutils}/bin/rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket"
+                ];
+                ExecStart = pkgs.writeShellScript "vmsilo-wayland-seccontext-${vm.name}" ''
+                  exec ${cfg._internal.vmsilo-wayland-seccontext}/bin/vmsilo-wayland-seccontext \
+                    --wayland-socket /run/user/${toString userUid}/wayland-0 \
+                    --app-id "vmsilo:${vm.name}:${vm.color}" \
+                    --socket-path /run/vmsilo/${vm.name}/wayland-seccontext.socket
+                '';
+                ExecStopPost = pkgs.writeShellScript "cleanup-wayland-seccontext-${vm.name}" ''
+                  rm -f /run/vmsilo/${vm.name}/wayland-seccontext.socket
+                '';
+                User = cfg.user;
+                Environment = [
+                  "XDG_RUNTIME_DIR=/run/user/${toString userUid}"
+                  "RUST_LOG=info"
+                ];
+                Restart = "on-failure";
+                RestartSec = "1s";
+              };
+            }
+          )
+        ) (lib.attrValues cfg.nixosVms)
       ++ [
         # USB attach/detach oneshot template services (invoked by vmsilo-usb CLI)
         (lib.nameValuePair "vmsilo-usb-attach@" {