first attempt on gpu passthrough

hosts/thinkpad/default.nix

@@ -6,6 +6,7 @@
       ./hardware-configuration.nix
       ./modules/networks
       ./modules/greetd
+      ./modules/virtualisation
       ./modules/snapper
     ];
 
@@ -156,7 +157,6 @@
     fwupd.enable = true; # firmware updates
   };
 
-  # fun fact: if I disable this, Hyprland breaks due to missing egl dependencies
   programs.steam.enable = true; # putting steam in here cause in home manager it doesn't work
 
   programs.ausweisapp = {
@@ -164,22 +164,6 @@
     openFirewall = true;
   };
 
-  virtualisation.libvirtd.enable = true;
-  virtualisation.spiceUSBRedirection.enable = true;
-
-  # fix to enable secure boot in vms
-  environment.etc = {
-    "ovmf/edk2-x86_64-secure-code.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
-    };
-
-    "ovmf/edk2-i386-vars.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
-      mode = "0644";
-      user = "libvirtd";
-    };
-  };
-
   systemd.sleep.extraConfig = ''
     HibernateDelaySec=2h
   '';
@@ -221,8 +205,8 @@
     killall
     zip
     unzip
+    pciutils
 
-    virt-viewer # multi monitor for vms
     sbctl
 
     deploy-rs

hosts/thinkpad/modules/virtualisation/default.nix

@@ -0,0 +1,88 @@
+{ config, lib, pkgs, ... }:
+# Virtualisation with gpu passthrough
+# Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/
+let
+  gpuHook = pkgs.writeShellScript "gpuhook.sh" ''
+    export PATH=$PATH:${lib.makeBinPath [pkgs.pciutils pkgs.kmod pkgs.psmisc pkgs.systemd pkgs.coreutils]}
+    gpu_domains=(
+        win11
+    )
+    function gpu_begin {
+        set -x
+        device=$(lspci -nnD | grep "VGA compatible controller" | grep Intel)
+        # Stop display manager
+        systemctl stop greetd.service
+        # Unbind vtconsole
+        for i in /sys/class/vtconsole/*/bind; do
+            echo 0 > "$i"
+        done
+        # Kill pulseaudio
+        killall pipewire
+        killall pipewire-pulse
+        # Unbind GPU
+        echo "$device" | cut -d' ' -f1 > /sys/module/i915/drivers/pci:i915/unbind
+        # Unload modules
+        rmmod snd_hda_intel
+        rmmod i915
+        # Load vfio
+        modprobe vfio-pci ids="$(echo "$device" | grep -o 8086:....)"
+    }
+    function gpu_end {
+        set -x
+        # Unload vfio
+        rmmod vfio_pci
+        # Load modules
+        modprobe snd_hda_intel
+        modprobe i915
+        # Rebind vtconsole
+        for i in /sys/class/vtconsole/*/bind; do
+            echo 1 > "$i"
+        done
+        # Start display manager
+        systemctl start greetd.service
+    }
+    # Run only for gpu_domains
+    for d in "''${gpu_domains[@]}"; do
+        [ "$d" = "$1" ] && gpu_domain=true
+    done
+    if [ "$gpu_domain" = true ]; then
+        [ "$2" = prepare ] && [ "$3" = begin ] && gpu_begin
+        [ "$2" = release ] && [ "$3" = end ] && gpu_end
+    fi
+    true
+  '';
+in
+{
+
+  virtualisation.libvirtd.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+
+  # fix to enable secure boot in vms
+  environment.etc = {
+    "ovmf/edk2-x86_64-secure-code.fd" = {
+      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
+    };
+
+    "ovmf/edk2-i386-vars.fd" = {
+      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
+      mode = "0644";
+      user = "libvirtd";
+    };
+
+  };
+  environment.systemPackages = with pkgs; [
+    virt-viewer
+  ];
+  systemd.services.libvirtd.preStart =
+    ''
+      mkdir -p /var/lib/libvirt/hooks
+      chmod 755 /var/lib/libvirt/hooks
+
+      # Copy hook files
+      cp -f ${gpuHook} /var/lib/libvirt/hooks/qemu
+
+      # Make them executable
+      chmod +x /var/lib/libvirt/hooks/qemu
+    '';
+
+}