- Rename `disks` to `additionalDisks` with structured format
(path, readOnly, enableDiscard, blockSize, devIdentifier, useDirect)
- Add custom boot options: rootDisk, kernel, initramfs, rootDiskReadonly
- Add kernelParams for extra kernel command line options
- Add gpu option (default: "context-types=cross-domain:virgl2")
- Add sharedDirectories for crosvm --shared-dir
- Add global crosvmLogLevel option (default: "info")
- Add --name argument to crosvm set to VM name
- Migrate deprecated --disk/--rwdisk to --block format
- Switch flake to nixos-unstable channel
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
VMs with different disposable settings but identical guestPrograms and
guestConfig now share the same rootfs image. The idle watchdog service
is always included but reads isDisposable and idleTimeout from the
kernel command line at startup, exiting immediately for non-disposable VMs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The double-decoration crash issue has been fixed. Verified that both konsole
(prefers server-side decorations) and firefox (prefers client-side) work and
show server-side decorations.
- Add treefmt-nix with nixfmt for code formatting (nix fmt)
- Extract cidrToNetworkBase and mkVmCase helper functions
- Use lib.nameValuePair for cleaner listToAttrs patterns
- Consolidate assertions with single let block
- Remove duplicate util-linux package
- Document formatting requirement in CLAUDE.md
- Apply nixfmt to all Nix files
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add programs.qubes-lite.enableBashIntegration option (default enabled)
that provides tab completion for vm-run, vm-start-debug, vm-stop,
vm-shell, and vm-root-shell commands.
VM names are queried dynamically from systemd socket units at completion
time, so existing shells see new VMs immediately after nixos-rebuild
without needing to reload.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use my wayland-proxy-virtwl fork. Unconditionally requests server-side
decorations even if the client doesn't want them.
Tested with firefox, works there.
Remove the old s6/execline-based rootfs in favor of the NixOS module approach:
- Delete rootfs/ directory (s6-based rootfs builder)
- Delete mktuntap/ directory (TAP utility, now using --tap-name)
- Delete default.nix (legacy package with vs*/tt*/ff* scripts)
- Update flake.nix to point packages.default to rootfs-nixos
- Update documentation to reflect NixOS-only architecture
The NixOS module (modules/) with socket-activated VMs is now the only
supported approach. VMs are configured declaratively via
programs.qubes-lite.nixosVms.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add two new scripts to the NixOS module that SSH into VMs:
- vm-shell <name> - SSH as user
- vm-root-shell <name> - SSH as root
Users must configure SSH keys in guestConfig for these to work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add programs.qubes-lite.guestConfig option for NixOS configuration
that applies to all VMs. Per-VM guestConfig is deep-merged with the
global config using lib.recursiveUpdate, with per-VM values taking
precedence on conflicts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document new CLI scripts: vm-run, vm-start-debug, vm-stop
- Replace autoStart with disposable/idleTimeout options
- Add section on disposable VMs with auto-shutdown
- Document socket activation architecture
- Update examples to show disposable VM configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
sockets.target is passive in user sessions. default.target ensures
sockets start automatically on login.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
sockets.target is a passive target that isn't automatically activated
in user sessions. Using default.target ensures the socket starts when
the user logs in.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
autoStart is replaced by socket activation.
run-in-vm is replaced by vm-run which uses socket activation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vm-run <vm-name> <command> connects to socket, triggering VM
activation if needed, then sends command.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mkProxyScript waits for guest vsock, then forwards stdin/stdout
- qubes-lite-<name>@.service spawned per connection by socket
- qubes-lite-<name>-vm.service runs crosvm (required by proxy)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates qubes-lite-<name>.socket for each VM, listening on
$XDG_RUNTIME_DIR/qubes-lite/<name>.sock with Accept=true.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When _qubesLite.disposable is true, vm-idle-watchdog monitors for:
- No active vsock-cmd@ instances
- Last activity older than idleTimeout seconds
Triggers clean systemctl poweroff when conditions met.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove socat-based vsock-command-listener service
- Add vsock-cmd.socket for systemd socket activation
- Add vsock-cmd@.service template spawned per connection
- Template touches /run/qubes-lite/last-activity on start/stop
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds options._qubesLite.{disposable, idleTimeout} for host to pass
auto-shutdown configuration to guest.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
These options enable on-demand VM shutdown:
- disposable: enables auto-shutdown when idle
- idleTimeout: seconds to wait before shutdown
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Socket-activated VMs that start on first command and optionally
shut down after configurable idle period. Uses systemd template
units for process tracking on both host and guest sides.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace the simple guestPrograms-only module with a full declarative
module that allows configuring VMs from configuration.nix:
- programs.qubes-lite.enable, user, vmNetwork, natEnable, natInterface
- programs.qubes-lite.nixosVms list with per-VM config (id, name,
memory, cpus, network, disks, guestPrograms, guestConfig)
- Automatic TAP interface creation via networking.interfaces
- NAT configuration for VM internet access
- Per-VM NixOS rootfs builds with combined packages
- Generated launcher scripts (qubes-lite-start-<name>)
- run-in-vm helper for executing commands via vsock
- Systemd user services for each VM
- Validation: odd IDs 3-255, unique IDs/names
Changes needed:
- Some minor renaming for nixpkgs changes.
- Kernel modules now come from a separate output.
- dash over vsock seems to be broken; switched to bash.
(it seems to be trying to use the console instead of the vsock)
Add gvfs so that evince can remember where you are in a document.
Start dbus at session launch so that everything gets the same one
(evince doesn't launch it if missing).
