diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 40445c3b960..bffd8aff78b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -325,6 +325,7 @@ hydron = 298; cfssl = 299; cassandra = 300; + qemu-libvirtd = 301; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -610,6 +611,7 @@ hydron = 298; cfssl = 299; cassandra = 300; + qemu-libvirtd = 301; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 3d002bc2232..3e38662f5b0 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -17,6 +17,10 @@ let ${optionalString cfg.qemuOvmf '' nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"] ''} + ${optionalString (!cfg.qemuRunAsRoot) '' + user = "qemu-libvirtd" + group = "qemu-libvirtd" + ''} ${cfg.qemuVerbatimConfig} ''; @@ -56,6 +60,18 @@ in { ''; }; + virtualisation.libvirtd.qemuRunAsRoot = mkOption { + type = types.bool; + default = true; + description = '' + If true, libvirtd runs qemu as root. + If false, libvirtd runs qemu as unprivileged user qemu-libvirtd. + Changing this option to false may cause file permission issues + for existing guests. To fix these, manually change ownership + of affected files in /var/lib/libvirt/qemu to qemu-libvirtd. + ''; + }; + virtualisation.libvirtd.qemuVerbatimConfig = mkOption { type = types.lines; default = '' @@ -110,6 +126,14 @@ in { users.groups.libvirtd.gid = config.ids.gids.libvirtd; + # libvirtd runs qemu as this user and group by default + users.extraGroups.qemu-libvirtd.gid = config.ids.gids.qemu-libvirtd; + users.extraUsers.qemu-libvirtd = { + uid = config.ids.uids.qemu-libvirtd; + isNormalUser = false; + group = "qemu-libvirtd"; + }; + systemd.packages = [ pkgs.libvirt ]; systemd.services.libvirtd = {