From b0c17465bc21ff7024d2e11fb8483ce1fbe43710 Mon Sep 17 00:00:00 2001
From: Stephen Newey <github@s-n.me>
Date: Sat, 20 Mar 2021 16:51:39 +0000
Subject: [PATCH] Source build of lxd-agent. SecureBoot enabled.

---
 etc/nixos/configuration.nix | 14 ++++++--------
 etc/nixos/lxd-agent.nix     | 34 +++++++++++++++++++++++++++-------
 etc/nixos/ovmf-meta.nix     | 13 +++++++++++++
 etc/nixos/virtiofsd.nix     |  1 +
 lxd-agent/README.md         |  2 ++
 5 files changed, 49 insertions(+), 15 deletions(-)
 create mode 100644 etc/nixos/ovmf-meta.nix

diff --git a/etc/nixos/configuration.nix b/etc/nixos/configuration.nix
index 62495f1..f40d6d6 100644
--- a/etc/nixos/configuration.nix
+++ b/etc/nixos/configuration.nix
@@ -93,14 +93,15 @@
 
   # the good stuff...
   virtualisation.lxd.enable = true;
-  virtualisation.lxd.zfsSupport = true;
+  virtualisation.lxd.zfsSupport = true;  # zfs is recommended
+  virtualisation.lxd.recommendedSysctlSettings = true;
   systemd.services.lxd.path = with pkgs; [
 
     # the lxd-agent in nixpkgs is dynamically linked and will fail in your guest VM!
-    # this provides a statically compiled version pulled from this repo
+    # this builds a statically compiled version
     ( import ./lxd-agent.nix )
 
-    # lxd won't find virtiofsd without making sure it's in the path
+    # lxd won't find virtiofsd or virtfs-proxy-helper without making sure they're in the path
     ( import ./virtiofsd.nix )
 
     # the lxd nixpkg doesn't know it needs kvm in its path to run qemu!
@@ -118,11 +119,8 @@
   systemd.services.lxd.environment = {
 
     # lxd will look for EFI firmware in /usr/share, but will not find it there
-    # so we need to tell it about the OVMF nixpkg
-    # Ideally, we've used OVMF-secureBoot, but this doesn't actually seem to
-    # include a signed EFI, so make sure to run:
-    #   lxc profile set default security.secureboot false
-    LXD_OVMF_PATH = "${pkgs.OVMF.fd.outPath}/FV";
+    # so we need to tell it about our metapackage
+    LXD_OVMF_PATH = ( import ./ovmf-meta.nix );
 
   };
 
diff --git a/etc/nixos/lxd-agent.nix b/etc/nixos/lxd-agent.nix
index eb2faee..d18d4a9 100644
--- a/etc/nixos/lxd-agent.nix
+++ b/etc/nixos/lxd-agent.nix
@@ -1,14 +1,34 @@
 with import <nixpkgs> {};
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation buildGoPackage rec {
   name = "lxd-agent";
+  version = "4.5";  # modify the version if using newer LXD
+
+  goPackagePath = "github.com/lxc/lxd";
+
+  buildFlags = [ "-ldflags=-extldflags=-static" "-ldflags=-s" "-ldflags=-w" "-tags libsqlite3" ];
+
   src = fetchurl {
-    url = https://github.com/stevenewey/lxd-vms-on-nixos/raw/master/lxd-agent/lxd-agent;
-    sha256 = "4c17cb711a95b7d2fd1ec90f02f94ec0b4bbd89e556e188576ece66f91666bb7";
+    url = "https://github.com/lxc/lxd/releases/download/lxd-${version}/lxd-${version}.tar.gz";
+    sha256 = "1nszzcyn8kvpnxppjbxky5x9a8n0jfmhy20j6nrwm3196gd6hirr";  # update this when changing LXD version
   };
-  buildCommand = ''
-    mkdir -p $out/bin
-    cp $src $out/bin/lxd-agent
-    chmod +x $out/bin/lxd-agent
+
+  subPackages = [ "lxd-agent" ];
+
+  preConfigure = ''
+    export CGO_ENABLED=0
+  '';
+
+  postPatch = ''
+    substituteInPlace shared/usbid/load.go \
+      --replace "/usr/share/misc/usb.ids" "${hwdata}/share/hwdata/usb.ids"
+  '';
+
+  preBuild = ''
+    # unpack vendor
+    pushd go/src/github.com/lxc/lxd
+    rm _dist/src/github.com/lxc/lxd
+    cp -r _dist/src/* ../../..
+    popd
   '';
 }
diff --git a/etc/nixos/ovmf-meta.nix b/etc/nixos/ovmf-meta.nix
new file mode 100644
index 0000000..49fb92a
--- /dev/null
+++ b/etc/nixos/ovmf-meta.nix
@@ -0,0 +1,13 @@
+with import <nixpkgs> {};
+
+# with this configuration, LXD will only support secureboot, which is the default
+
+stdenv.mkDerivation rec {
+  name = "ovmf-meta";
+  buildCommand = ''
+    mkdir -p $out
+    cp ${pkgs.OVMF-secureBoot.fd}/FV/OVMF.fd $out/
+    cp ${pkgs.OVMF-secureBoot.fd}/FV/OVMF_CODE.fd $out/
+    cp ${pkgs.OVMF-secureBoot.fd}/FV/OVMF_VARS.fd $out/OVMF_VARS.ms.fd
+  '';
+}
diff --git a/etc/nixos/virtiofsd.nix b/etc/nixos/virtiofsd.nix
index 61f5ed2..c88b157 100644
--- a/etc/nixos/virtiofsd.nix
+++ b/etc/nixos/virtiofsd.nix
@@ -5,5 +5,6 @@ stdenv.mkDerivation rec {
   buildCommand = ''
     mkdir -p $out/bin
     ln -s ${pkgs.kvm}/libexec/virtiofsd $out/bin/
+    ln -s ${pkgs.kvm}/libexec/virtfs-proxy-helper $out/bin/
   '';
 }
diff --git a/lxd-agent/README.md b/lxd-agent/README.md
index 68e228f..198a2db 100644
--- a/lxd-agent/README.md
+++ b/lxd-agent/README.md
@@ -7,3 +7,5 @@ The agent itself is unversioned.
 The [license is included](COPYING).
 
 The source can be found at https://github.com/lxc/lxd
+
+**UPDATE**: This is no longer required by the configuration now provided, which builds the agent from source. This remains here for legacy purposes.
\ No newline at end of file