nix/os-mods/virt/default.nix

{ config
, lib
, pkgs
, ...
}: {
  environment.systemPackages = with pkgs; [
    virtiofsd
    virt-manager
    virt-viewer
    virt-top
    spice-gtk
    gnome.gnome-boxes
  ];

  boot.kernelModules = [ "kvm-amd" ]; # TODO check cpu and enable intel kvm if needed

  virtualisation.docker = {
    enable = true;
    package = pkgs.docker;

    storageDriver = lib.mkDefault "overlay2";
    liveRestore = false;
    autoPrune.enable = true;
  };

  security.wrappers.spice-client-glib-usb-acl-helper = {
    owner = "root";
    group = "root";
    # capabilities = "cap_fowner+ep";
    setuid = true;
    source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
  };

  virtualisation.libvirtd = {
    enable = true;
    package = pkgs.libvirt;

    onShutdown = "suspend";
    onBoot = "ignore";

    qemu = {
      package = pkgs.qemu_kvm;
      ovmf.enable = true;
      ovmf.packages = [ pkgs.OVMFFull.fd ];
      swtpm.enable = true;
      runAsRoot = false;
    };
  };

  services.udev.extraRules = ''
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664", GROUP="wheel"
  '';
}