2 files changed, 82 insertions, 30 deletions
diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix
index 28ee07f005b..08e1de49638 100644
--- a/nixos/modules/hardware/cpu/amd-sev.nix
+++ b/nixos/modules/hardware/cpu/amd-sev.nix
@@ -1,37 +1,43 @@
-{ config, lib, ... }:
+{ config, options, lib, ... }:
 with lib;
 let
-  cfg = config.hardware.cpu.amd.sev;
-  defaultGroup = "sev";
-in
-  with lib; {
-    options.hardware.cpu.amd.sev = {
-      enable = mkEnableOption (lib.mdDoc "access to the AMD SEV device");
-      user = mkOption {
-        description = lib.mdDoc "Owner to assign to the SEV device.";
-        type = types.str;
-        default = "root";
-      };
-      group = mkOption {
-        description = lib.mdDoc "Group to assign to the SEV device.";
-        type = types.str;
-        default = defaultGroup;
-      };
-      mode = mkOption {
-        description = lib.mdDoc "Mode to set for the SEV device.";
-        type = types.str;
-        default = "0660";
-      };
+  cfgSev = config.hardware.cpu.amd.sev;
+  cfgSevGuest = config.hardware.cpu.amd.sevGuest;
+
+  optionsFor = device: group: {
+    enable = mkEnableOption (lib.mdDoc "access to the AMD ${device} device");
+    user = mkOption {
+      description = lib.mdDoc "Owner to assign to the ${device} device.";
+      type = types.str;
+      default = "root";
+    };
+    group = mkOption {
+      description = lib.mdDoc "Group to assign to the ${device} device.";
+      type = types.str;
+      default = group;
     };
+    mode = mkOption {
+      description = lib.mdDoc "Mode to set for the ${device} device.";
+      type = types.str;
+      default = "0660";
+    };
+  };
+in
+with lib; {
+  options.hardware.cpu.amd.sev = optionsFor "SEV" "sev";
+
+  options.hardware.cpu.amd.sevGuest = optionsFor "SEV guest" "sev-guest";
 
-    config = mkIf cfg.enable {
+  config = mkMerge [
+    # /dev/sev
+    (mkIf cfgSev.enable {
       assertions = [
         {
-          assertion = hasAttr cfg.user config.users.users;
+          assertion = hasAttr cfgSev.user config.users.users;
           message = "Given user does not exist";
         }
         {
-          assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups);
+          assertion = (cfgSev.group == options.hardware.cpu.amd.sev.group.default) || (hasAttr cfgSev.group config.users.groups);
           message = "Given group does not exist";
         }
       ];
@@ -40,12 +46,35 @@ in
         options kvm_amd sev=1
       '';
 
-      users.groups = optionalAttrs (cfg.group == defaultGroup) {
-        "${cfg.group}" = {};
+      users.groups = optionalAttrs (cfgSev.group == options.hardware.cpu.amd.sev.group.default) {
+        "${cfgSev.group}" = { };
       };
 
-      services.udev.extraRules = with cfg; ''
+      services.udev.extraRules = with cfgSev; ''
         KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}"
       '';
-    };
-  }
+    })
+
+    # /dev/sev-guest
+    (mkIf cfgSevGuest.enable {
+      assertions = [
+        {
+          assertion = hasAttr cfgSevGuest.user config.users.users;
+          message = "Given user does not exist";
+        }
+        {
+          assertion = (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default) || (hasAttr cfgSevGuest.group config.users.groups);
+          message = "Given group does not exist";
+        }
+      ];
+
+      users.groups = optionalAttrs (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default) {
+        "${cfgSevGuest.group}" = { };
+      };
+
+      services.udev.extraRules = with cfgSevGuest; ''
+        KERNEL=="sev-guest", OWNER="${user}", GROUP="${group}", MODE="${mode}"
+      '';
+    })
+  ];
+}
diff --git a/nixos/modules/hardware/glasgow.nix b/nixos/modules/hardware/glasgow.nix
new file mode 100644
index 00000000000..f8ebb772c47
--- /dev/null
+++ b/nixos/modules/hardware/glasgow.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.hardware.glasgow;
+
+in
+{
+  options.hardware.glasgow = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Enables Glasgow udev rules and ensures 'plugdev' group exists.
+        This is a prerequisite to using Glasgow without being root.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.udev.packages = [ pkgs.glasgow ];
+    users.groups.plugdev = { };
+  };
+}