Are the libvirt instructions on the wiki up to date?

Reading the wiki, it says:

          secureBoot = true;
          tpmSupport = true;

First of all, isn’t this default?

Also, it mentions “unstable”, but that is not defined anywhere.

I have defined unstable like this:

  unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz) {config.allowUnfree = true;};

in my configuration.nix, but it’s not using that.

A bit confused.

The wiki is unofficial and poorly maintained, if the pages were ever right in the first place. Read it as a collection of suggestions, and do a bit of further research when following them. Checking the source code is often a good idea, and make sure you know what the underlying software actually does and try to understand why the wiki says what it does.

You probably don’t need to use unstable for that package anymore, who knows why the author of that decided to recommend it at the time of writing.

Those settings are not the default: https://github.com/NixOS/nixpkgs/blob/614b4613980a522ba49f0d194531beddbb7220d3/pkgs/applications/virtualization/OVMF/default.nix#L5

I’d suggest not mixing stable and unstable unless you have a good reason, and the wiki doesn’t give such a reason. Doing so incurs a heavy disk space cost and makes your evaluations take longer.

Just replace unstable with pkgs until you figure out why you shouldn’t, and if you do, add the unstable channel to your system and grab it from the module args (feel free to ask for help with this when the time comes) instead of doing what you’re asking about next.

While you can grab an unstable version of nixpkgs that way, if done correctly, I don’t recommend it. Use channels, flakes or niv instead.

This form is recommended in lots of poorly thought-out tutorials - probably because it’s easy to put in nix files to make things “just work” without having to explain additional commands for channels or bet on flakes - but I consider it one of the more harmful and pervasive anti-patterns. It’s easy to get wrong like you have, and even if you do get it right, updating it is both a royal pain and easily forgotten about.

As-is right now, your packages may randomly update every two hours, and nix will go through an expensive fetch every time. If you insist on doing things this way, at least specify the hash.

1 Like

ok, I’m trying to write it like so:

  virtualisation.libvirtd = {
    enable = true;
    qemu = {
      package = pkgs.qemu_kvm;
      runAsRoot = true;
      swtpm.enable = true;
      ovmf = {
        enable = true;
        packages = [ pkgs.OVMF.override {
          secureBoot = true;
          csmSupport = false;
          httpSupport = true;
          tpmSupport = true;
        }.fd ];
      };
    };
  };

, but now it complains

error: attribute 'fd' missing

You need brackets, otherwise you’re trying to get an atrribute from the attribute list you defined, rather than from the function call:

virtualisation.libvirtd = {
    enable = true;
    qemu = {
      package = pkgs.qemu_kvm;
      runAsRoot = true;
      swtpm.enable = true;
      ovmf = {
        enable = true;
        packages = [ (pkgs.OVMF.override {
          secureBoot = true;
          csmSupport = false;
          httpSupport = true;
          tpmSupport = true;
        }).fd ];
      };
    };
  };