
205 lines
6.2 KiB
Raw Normal View History

2022-02-21 12:58:24 +08:00
{ pkgs
, diskImageSize ? "70G"
, windowsImage ? null
, autoUnattendParams ? {}
, impureMode ? false
, installCommands ? []
, users ? {}
# autounattend always installs index 1, so this default is backward-compatible
, imageSelection ? "Windows 10 Pro"
, efi ? true
, bundleInstaller ? {}
, ...
lib = pkgs.lib;
utils = import ./utils.nix { inherit pkgs efi; };
libguestfs = pkgs.libguestfs-with-appliance;
# p7zip on >20.03 has known vulns but we have no better option
p7zip = pkgs.p7zip.overrideAttrs(old: {
meta = old.meta // {
knownVulnerabilities = [];
# bundle
bundleInstaller = pkgs.runCommandNoCC "win-bundle-installer.exe" {} ''
mkdir bundle
cd bundle
cp ${bundle/go.mod} go.mod
cp ${bundle/main.go} main.go
env HOME=$(mktemp -d) GOOS=windows GOARCH=amd64 ${pkgs.go}/bin/go build
mv bundle.exe $out
2022-02-21 12:58:24 +08:00
runQemuCommand = name: command: (
pkgs.runCommandNoCC name { buildInputs = [ p7zip utils.qemu libguestfs ]; }
if ! test -f; then
echo "KVM not available, bailing out" >> /dev/stderr
exit 1
'' + command
windowsIso = if windowsImage != null then windowsImage else pkgs.requireFile rec {
name = "xks67i4frg8k7rmlv5298aac0s4n5nih-RESTRICTDIST-release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso";
sha256 = "0fmw30g7959bh47z8xi5pmmxq4kb0sxs1qxf51il3xy2f2py33v6";
2022-02-21 12:58:24 +08:00
message = "Get ${name} from";
# stable as of 2021-04-08
virtioWinIso = pkgs.fetchurl {
url = "";
sha256 = "11n3kjyawiwacmi3jmfmn311g9xvfn6m0ccdwnjxw1brzb4kqaxg";
openSshServerPackage = pkgs.fetchurl {
url = "";
sha256 = "1dw6n054r0939501dpxfm7ghv21ihmypdx034van8cl21gf1b4lz";
autounattend = import ./autounattend.nix (
attrs // {
inherit pkgs;
users = users // {
wfvm = {
password = "1234";
description = "WFVM Administrator";
groups = [
# Packages required to drive installation of other packages
bootstrapPkgs =
runQemuCommand "bootstrap-win-pkgs.img" ''
7z x -y ${virtioWinIso} -opkgs/virtio
cp ${bundleInstaller} pkgs/"$(stripHash "${bundleInstaller}")"
# Install optional windows features
cp ${openSshServerPackage} pkgs/
# SSH setup script goes here because windows XML parser sucks
cp ${./install-ssh.ps1} pkgs/install-ssh.ps1
cp ${autounattend.setupScript} pkgs/setup.ps1
virt-make-fs --partition --type=fat pkgs/ $out
installScript = pkgs.writeScript "windows-install-script" (
qemuParams = utils.mkQemuFlags (lib.optional (!impureMode) "-display none" ++ [
# "CD" drive with bootstrap pkgs
# USB boot
"id=win-install,file=${if efi then "usb" else "cd"}image.img,if=none,format=raw,readonly=on,media=${if efi then "disk" else "cdrom"}"
# Output image
# Network
"-netdev user,id=n1,net=,restrict=on"
set -euxo pipefail
export PATH=${lib.makeBinPath [ p7zip utils.qemu libguestfs pkgs.wimlib ]}:$PATH
# Create a bootable "USB" image
# Booting in USB mode circumvents the "press any key to boot from cdrom" prompt
# Also embed the autounattend answer file in this image
mkdir -p win
mkdir -p win/nix-win
7z x -y ${windowsIso} -owin
# Split image so it fits in FAT32 partition
wimsplit win/sources/install.wim win/sources/install.swm 4090
rm win/sources/install.wim
cp ${autounattend.autounattendXML} win/autounattend.xml
${if efi then ''
virt-make-fs --partition --type=fat win/ usbimage.img
'' else ''
${pkgs.cdrkit}/bin/mkisofs -iso-level 4 -l -R -udf -D -b boot/ -no-emul-boot -boot-load-size 8 -hide boot.catalog -eltorito-alt-boot -o cdimage.img win/
rm -rf win
# Qemu requires files to be rw
qemu-img create -f qcow2 c.img ${diskImageSize}
qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams}
baseImage = pkgs.runCommandNoCC "RESTRICTDIST-windows.img" {} ''
mv c.img $out
finalImage = builtins.foldl' (acc: v: pkgs.runCommandNoCC "RESTRICTDIST-${}.img" {
buildInputs = with utils; [
qemu win-wait win-exec win-put
] ++ (v.buildInputs or []);
} (let
script = pkgs.writeScript "${}-script" v.script;
qemuParams = utils.mkQemuFlags (lib.optional (!impureMode) "-display none" ++ [
# Output image
# Network - enable SSH forwarding
"-netdev user,id=n1,net=,restrict=on,hostfwd=tcp::2022-:22"
in ''
# Create an image referencing the previous image in the chain
qemu-img create -f qcow2 -b ${acc} c.img
set -m
qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams} &
echo "Executing script to build layer..."
echo "Layer script done"
echo "Shutting down..."
win-exec 'shutdown /s'
echo "Waiting for VM to terminate..."
echo "Done"
mv c.img $out
'')) baseImage (
name = "DisablePasswordExpiry";
script = ''
win-exec 'wmic UserAccount set PasswordExpires=False'
] ++
# impureMode is meant for debugging the base image, not the full incremental build process
if !(impureMode) then finalImage else assert installCommands == []; installScript