utils.nix: pass all attrs

Fixes passing baseRtc and other parameters

README.md

@@ -28,14 +28,21 @@ How to use
 Install a Windows image
 -----------------------
 
-1. Adjust demo-image in ``flake.nix`` accordingly
+1. Adjust demo-image.nix accordingly
 2. Run:
 
+If in impure mode
 ```shell
-nix build .#demo-image
+nix-build demo-image.nix
 ./result
 ```
+Results in a file called c.img
 
+If in pure mode
+```shell
+nix-build demo-image.nix
+ls -la ./result
+```
 Results in a symlink to the image in the nix store
 
 
@@ -46,4 +53,29 @@ Sometimes it can be useful to build the image _outside_ of the Nix sandbox for d
 
 For this purpose we have an attribute called `impureMode` which outputs the shell script used by Nix inside the sandbox to build the image.
 
-When building an image with flakes, use ``nix build .#demo-image-impure`` instead.
+
+Usage with Nix Flakes
+---------------------
+
+Build the demo by running:
+```shell
+nix build .#demoImage
+```
+
+This project's **flake.nix** exposes its functions under `lib`. To use
+in your own project, setup your flake like this:
+
+```nix
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    wfvm.url = "git+https://git.m-labs.hk/m-labs/wfvm";
+  };
+
+  outputs = { self, nixpkgs, wfvm }: {
+    packages."x86_64-linux".flaky-os = wfvm.lib.makeWindowsImage {
+      # configuration parameters go here
+    };
+  };
+}
+```

flake.lock

@@ -2,17 +2,17 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1593034146,
-        "narHash": "sha256-EypP7RyPq5Yv05VgsQoIkdn26KJUIgQCItHgVY1MMQE=",
+        "lastModified": 1685004253,
+        "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f8248ab6d9e69ea9c07950d73d48807ec595e923",
+        "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
-        "rev": "f8248ab6d9e69ea9c07950d73d48807ec595e923",
         "type": "github"
       }
     },

flake.nix

@@ -1,129 +1,37 @@
 {
-  description = "A Nix library to create and manage virtual machines running Windows.";
-  inputs.nixpkgs.url = github:NixOS/nixpkgs/f8248ab6d9e69ea9c07950d73d48807ec595e923;
+  description = "WFVM: Windows Functional Virtual Machine";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
+  };
+
   outputs = { self, nixpkgs }:
     let
-      pkgs = import nixpkgs { system = "x86_64-linux"; };
-      lib = pkgs.lib;
-      # utils
-      utils = (import wfvm/utils.nix { inherit pkgs; });
-      # layers
-      layers = (import wfvm/layers { inherit pkgs; }); # end of layers
+      # only x64 is supported
+      system = "x86_64-linux";
 
+      pkgs = nixpkgs.legacyPackages.${system};
 
+    in rec {
+      lib = import ./wfvm {
+        inherit pkgs;
+      };
 
-    # makeWindowsImage 
-    makeWindowsImage = attrs: import wfvm/win.nix ({ inherit pkgs; } // attrs );
-
-    build-demo-image = { impureMode ? false }: makeWindowsImage {
-          # Build install script & skip building iso
-
-          inherit impureMode;
-
-          # Custom base iso
-          # windowsImage = pkgs.requireFile rec {
-          #   name = "Win10_21H1_English_x64.iso";
-          #   sha256 = "1sl51lnx4r6ckh5fii7m2hi15zh8fh7cf7rjgjq9kacg8hwyh4b9";
-          #   message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO";
-          # };
-
-          # impureShellCommands = [
-          #   "powershell.exe echo Hello"
-          # ];
-
-          # User accounts
-          # users = {
-          #   artiq = {
-          #     password = "1234";
-          #     # description = "Default user";
-          #     # displayName = "Display name";
-          #     groups = [
-          #       "Administrators"
-          #     ];
-          #   };
-          # };
-
-          # Auto login
-          # defaultUser = "artiq";
-
-          # fullName = "M-Labs";
-          # organization = "m-labs";
-          # administratorPassword = "12345";
-
-          # Imperative installation commands, to be installed incrementally
-          installCommands = if impureMode then [] else (with layers; [
-              (collapseLayers [
-                disable-autosleep
-                disable-autolock
-                disable-firewall
-              ])
-              anaconda3 msys2 msvc msvc-ide-unbreak
-            ]);
-
-          # services = {
-          #   # Enable remote management
-          #   WinRm = {
-          #     Status = "Running";
-          #     PassThru = true;
-          #   };
-          # };
-
-          # License key (required)
-          # productKey = throw "Search the f* web"
-          # imageSelection = "1";
-
-          # Locales
-          # uiLanguage = "en-US";
-          # inputLocale = "en-US";
-          # userLocale = "en-US";
-          # systemLocale = "en-US";
+      packages.${system} = rec {
+        demoImage = import ./wfvm/demo-image.nix {
+          inherit self;
         };
 
-    in {
-
-      # bundle dev env
-      devShell.x86_64-linux = pkgs.mkShell {
-        name = "wfvm-dev-shell";
-        buildInputs = with pkgs; [
-          go
-        ];
-        shellHook = ''
-          unset GOPATH
-        '';
-      };
-
-      inherit utils;
-      inherit makeWindowsImage;
-      inherit layers;
-
-      demo-ssh = utils.wfvm-run {
-        name = "demo-ssh";
-        image = build-demo-image {};
-        isolateNetwork = false;
-        script = ''
-          ${pkgs.sshpass}/bin/sshpass -p1234 -- ${pkgs.openssh}/bin/ssh -p 2022 wfvm@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-        '';
-      };
-
-      packages.x86_64-linux = {
-        demo-image = build-demo-image {};
-        demo-image-impure = build-demo-image { impureMode = true; };
-
-        make-msys-packages = utils.wfvm-run {
-          name = "get-msys-packages";
-          image = makeWindowsImage { installCommands = [ layers.msys2 ]; };
-          script = ''
-            cat > getmsyspackages.bat << EOF
-            set MSYS=C:\\MSYS64
-            set TOOLPREF=mingw-w64-x86_64-
-            set PATH=%MSYS%\usr\bin;%MSYS%\mingw64\bin;%PATH%
-            pacman -Sp %TOOLPREF%gcc %TOOLPREF%binutils make autoconf automake libtool texinfo > packages.txt
-            EOF
-            \${utils.win-put}/bin/win-put getmsyspackages.bat
-            \${utils.win-exec}/bin/win-exec getmsyspackages
-            \${utils.win-get}/bin/win-get packages.txt
-          '';
+        default = lib.utils.wfvm-run {
+          name = "demo";
+          image = demoImage;
+          script =
+            ''
+            echo "Windows booted. Press Enter to terminate VM."
+            read
+            '';
+          display = true;
         };
       };
     };
-}
+}

wfvm/autounattend.nix

@@ -15,7 +15,8 @@
 , impureShellCommands ? []
 , driveLetter ? "D:"
 , efi ? true
-, imageSelection ? "1"
+, imageSelection ? "Windows 11 Pro N"
+, enableTpm
 , ...
 }:
 
@@ -58,18 +59,16 @@ let
   assertCommand = c: builtins.typeOf c == "string" || builtins.typeOf c == "set" && builtins.hasAttr "Path" c && builtins.hasAttr "Description" c;
 
   commands = builtins.map (x: assert assertCommand x; if builtins.typeOf x == "string" then { Path = x; Description = x; } else x) (
-    [
-      {
-        Path = "powershell.exe Set-ExecutionPolicy -Force Unrestricted";
-        Description = "Allow unsigned powershell scripts.";
-      }
-    ]
-    ++ [
-      {
-        Path = ''powershell.exe ${driveLetter}\win-bundle-installer.exe'';
-        Description = "Install any declared packages.";
-      }
-    ]
+    [ {
+      Path = "powershell.exe Set-ExecutionPolicy -Force Unrestricted";
+      Description = "Allow unsigned powershell scripts.";
+    } {
+      Path = ''powershell.exe ${driveLetter}\win-bundle-installer.exe'';
+      Description = "Install any declared packages.";
+    } {
+      Path = "net accounts /maxpwage:unlimited";
+      Description = "Disable forced password expiry.";
+    } ]
     ++ setupCommands
     ++ [
       {
@@ -148,6 +147,14 @@ let
           </DriverPaths>
         </component>
         <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+          ${lib.optionalString (!enableTpm) ''
+            <RunSynchronous>
+              <RunSynchronousCommand wcm:action="add">
+                <Order>1</Order>
+                <Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
+              </RunSynchronousCommand>
+            </RunSynchronous>
+          ''}
 
           <DiskConfiguration>
             <Disk wcm:action="add">
@@ -199,8 +206,9 @@ let
                 <PartitionID>3</PartitionID>
               </InstallTo>
               <InstallFrom>
+                <Path>\install.swm</Path>
                 <MetaData wcm:action="add">
-                  <Key>/IMAGE/INDEX</Key>
+                  <Key>/IMAGE/NAME</Key>
                   <Value>${imageSelection}</Value>
                 </MetaData>
               </InstallFrom>
@@ -209,7 +217,7 @@ let
 
           <UserData>
             <ProductKey>
-              ${if productKey != null then "<Key>${productKey}</Key>" else ""}
+              ${if productKey != null then "<Key>${productKey}</Key>" else "<Key/>"}
               <WillShowUI>OnError</WillShowUI>
             </ProductKey>
             <AcceptEula>true</AcceptEula>
@@ -299,13 +307,13 @@ let
         </component>
       </settings>
 
-       <cpi:offlineImage cpi:source="wim:c:/wim/windows-10/install.wim#${imageSelection}" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
+       <cpi:offlineImage cpi:source="wim:c:/wim/windows-11/install.wim#${imageSelection}" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
     </unattend>
   '';
 
 in {
   # Lint and format as a sanity check
-  autounattendXML = pkgs.runCommandNoCC "autounattend.xml" {} ''
+  autounattendXML = pkgs.runCommand "autounattend.xml" {} ''
     ${pkgs.libxml2}/bin/xmllint --format ${autounattendXML} > $out
   '';
 

wfvm/bundle/default.nix

@@ -0,0 +1,10 @@
+{ pkgs }:
+
+pkgs.runCommand "win-bundle-installer.exe" {} ''
+  mkdir bundle
+  cd bundle
+  cp ${./go.mod} go.mod
+  cp ${./main.go} main.go
+  env HOME=$(mktemp -d) GOOS=windows GOARCH=amd64 ${pkgs.go}/bin/go build
+  mv bundle.exe $out
+''

wfvm/bundle/shell.nix

@@ -0,0 +1,13 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+
+  buildInputs = [
+    pkgs.go
+  ];
+
+  shellHook = ''
+    unset GOPATH
+  '';
+
+}

wfvm/default.nix

@@ -0,0 +1,7 @@
+{ pkgs }:
+
+{
+  makeWindowsImage = attrs: import ./win.nix ({ inherit pkgs; } // attrs);
+  layers = import ./layers { inherit pkgs; };
+  utils = import ./utils.nix { inherit pkgs; };
+}

wfvm/demo-image.nix

@@ -0,0 +1,82 @@
+{ pkgs ? import <nixpkgs> {}
+# Whether to generate just a script to start and debug the windows installation
+, impureMode ? false
+# Flake input `self`
+, self ? null
+}:
+
+let
+  wfvm =
+    if self == null
+    # nix-build
+    then (import ./default.nix { inherit pkgs; })
+    # built from flake.nix
+    else self.lib;
+in
+wfvm.makeWindowsImage {
+  # Build install script & skip building iso
+  inherit impureMode;
+
+  # Custom base iso
+  # windowsImage = pkgs.requireFile rec {
+  #   name = "Win11_22H2_English_x64v1.iso";
+  #   sha256 = "08mbppsm1naf73z8fjyqkf975nbls7xj9n4fq0yp802dv1rz3whd";
+  #   message = "Get disk image ${name} from https://www.microsoft.com/en-us/software-download/windows11/";
+  # };
+
+  # impureShellCommands = [
+  #   "powershell.exe echo Hello"
+  # ];
+
+  # User accounts
+  # users = {
+  #   artiq = {
+  #     password = "1234";
+  #     # description = "Default user";
+  #     # displayName = "Display name";
+  #     groups = [
+  #       "Administrators"
+  #     ];
+  #   };
+  # };
+
+  # Auto login
+  # defaultUser = "artiq";
+
+  # fullName = "M-Labs";
+  # organization = "m-labs";
+  # administratorPassword = "12345";
+
+  # Imperative installation commands, to be installed incrementally
+  installCommands =
+    if impureMode
+    then []
+    else with wfvm.layers; [
+      (collapseLayers [
+        disable-autosleep
+        disable-autolock
+        disable-firewall
+      ])
+      anaconda3 msys2
+    ];
+
+  # services = {
+  #   # Enable remote management
+  #   WinRm = {
+  #     Status = "Running";
+  #     PassThru = true;
+  #   };
+  # };
+
+  # License key (required)
+  # productKey = throw "Search the f* web"
+  imageSelection = "Windows 11 Pro N";
+
+
+  # Locales
+  # uiLanguage = "en-US";
+  # inputLocale = "en-US";
+  # userLocale = "en-US";
+  # systemLocale = "en-US";
+
+}

wfvm/demo-ssh.nix

@@ -0,0 +1,13 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+let
+  wfvm = (import ./default.nix { inherit pkgs; });
+in
+  wfvm.utils.wfvm-run {
+    name = "demo-ssh";
+    image = import ./demo-image.nix { inherit pkgs; };
+    isolateNetwork = false;
+    script = ''
+      ${pkgs.sshpass}/bin/sshpass -p1234 -- ${pkgs.openssh}/bin/ssh -p 2022 wfvm@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+    '';
+  }

wfvm/layers/default.nix

@@ -1,7 +1,6 @@
 { pkgs }:
 let
-  makeWindowsImage =  attrs: import ../win.nix ({ inherit pkgs; } // attrs );
-  utils = import ../utils.nix { inherit pkgs; };
+  wfvm = import ../. { inherit pkgs; };
 in
 {
   anaconda3 = {
@@ -73,20 +72,20 @@ in
       bootstrapper = pkgs.fetchurl {
         name = "RESTRICTDIST-vs_Community.exe";
         url = "https://aka.ms/vs/16/release/vs_community.exe";
-        sha256 = "sha256-bxi8LsvNxSZshkTbhK/FEmMx84NKYB7TUNOm9sAKXS8=";
+        sha256 = "sha256-l4ZKFZTgHf3BmD0eFWyGwsvb4lqB/LiQYizAABOs3gg=";
       };
       # This touchy-feely "community" piece of trash seems deliberately crafted to break Wine, so we use the VM to run it.
-      download-vs = utils.wfvm-run {
+      download-vs = wfvm.utils.wfvm-run {
         name = "download-vs";
-        image = makeWindowsImage { };
+        image = wfvm.makeWindowsImage { };
         isolateNetwork = false;
         script =
           ''
           ln -s ${bootstrapper} vs_Community.exe
-          ${utils.win-put}/bin/win-put vs_Community.exe
+          ${wfvm.utils.win-put}/bin/win-put vs_Community.exe
           rm vs_Community.exe
-          ${utils.win-exec}/bin/win-exec "vs_Community.exe --quiet --norestart --layout c:\vslayout --add Microsoft.VisualStudio.Workload.NativeDesktop --includeRecommended --lang en-US"
-          ${utils.win-get}/bin/win-get /c:/vslayout
+          ${wfvm.utils.win-exec}/bin/win-exec "vs_Community.exe --quiet --norestart --layout c:\vslayout --add Microsoft.VisualStudio.Workload.NativeDesktop --includeRecommended --lang en-US"
+          ${wfvm.utils.win-get}/bin/win-get /c:/vslayout
           '';
       };
       cache = pkgs.stdenv.mkDerivation {
@@ -94,7 +93,7 @@ in
 
         outputHashAlgo = "sha256";
         outputHashMode = "recursive";
-        outputHash = "0ic3jvslp2y9v8yv9mfr2mafkvj2q5frmcyhmlbxj71si1x3kpag";
+        outputHash = "sha256-GoOKzln8DXVMx52jWGEjwkOFkpSW+wEffAVmBVugIyk=";
 
         phases = [ "buildPhase" ];
         buildInputs = [ download-vs ];

wfvm/layers/make_msys_packages.sh

@@ -2,7 +2,27 @@
 
 set -e
 
-nix build .#make-msys-packages
+nix-build -E "
+let
+  pkgs = import <nixpkgs> {};
+  wfvm = import ../default.nix { inherit pkgs; };
+in
+  wfvm.utils.wfvm-run {
+    name = \"get-msys-packages\";
+    image = wfvm.makeWindowsImage { installCommands = [ wfvm.layers.msys2 ]; };
+    script = ''
+      cat > getmsyspackages.bat << EOF
+      set MSYS=C:\\MSYS64
+      set TOOLPREF=mingw-w64-x86_64-
+      set PATH=%MSYS%\usr\bin;%MSYS%\mingw64\bin;%PATH%
+      pacman -Sp %TOOLPREF%gcc %TOOLPREF%binutils make autoconf automake libtool texinfo > packages.txt
+      EOF
+      \${wfvm.utils.win-put}/bin/win-put getmsyspackages.bat
+      \${wfvm.utils.win-exec}/bin/win-exec getmsyspackages
+      \${wfvm.utils.win-get}/bin/win-get packages.txt
+    '';
+  }
+"
 
 ./result/bin/wfvm-run-get-msys-packages
 

wfvm/utils.nix

@@ -1,23 +1,45 @@
-{ pkgs, baseRtc ? "2020-04-20T14:21:42", cores ? "4", qemuMem ? "4G", efi ? true }:
+{ pkgs
+, baseRtc ? "2022-10-10T10:10:10"
+, cores ? "4"
+, qemuMem ? "4G"
+, efi ? true
+, enableTpm ? false
+, ...
+}:
 
 rec {
   # qemu_test is a smaller closure only building for a single system arch
   qemu = pkgs.qemu;
 
+  OVMF = pkgs.OVMF.override {
+    secureBoot = true;
+  };
+
   mkQemuFlags = extraFlags: [
     "-enable-kvm"
     "-cpu host"
     "-smp ${cores}"
     "-m ${qemuMem}"
-    "-M q35"
+    "-M q35,smm=on"
     "-vga qxl"
     "-rtc base=${baseRtc}"
     "-device qemu-xhci"
     "-device virtio-net-pci,netdev=n1"
   ] ++ pkgs.lib.optionals efi [
-    "-bios ${pkgs.OVMF.fd}/FV/OVMF.fd"
+    "-bios ${OVMF.fd}/FV/OVMF.fd"
+  ] ++ pkgs.lib.optionals enableTpm [
+    "-chardev" "socket,id=chrtpm,path=tpm.sock"
+    "-tpmdev" "emulator,id=tpm0,chardev=chrtpm"
+    "-device" "tpm-tis,tpmdev=tpm0"
   ] ++ extraFlags;
 
+  tpmStartCommands = pkgs.lib.optionalString enableTpm ''
+    mkdir -p tpmstate
+    ${pkgs.swtpm}/bin/swtpm socket \
+      --tpmstate dir=tpmstate \
+      --ctrl type=unixio,path=tpm.sock &
+  '';
+
   # Pass empty config file to prevent ssh from failing to create ~/.ssh
   sshOpts = "-F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=1";
   win-exec = pkgs.writeShellScriptBin "win-exec" ''
@@ -93,6 +115,7 @@ rec {
       ]);
     in pkgs.writeShellScriptBin "wfvm-run-${name}" ''
       set -e -m
+      ${tpmStartCommands}
       ${qemu}/bin/qemu-system-x86_64 ${pkgs.lib.concatStringsSep " " qemuParams} &
 
       ${win-wait}/bin/win-wait

wfvm/win.nix

@@ -5,17 +5,17 @@
 , impureMode ? false
 , installCommands ? []
 , users ? {}
+, enableTpm ? true
 # autounattend always installs index 1, so this default is backward-compatible
-, imageSelection ? "Windows 10 Pro"
+, imageSelection ? "Windows 11 Pro N"
 , efi ? true
-, bundleInstaller ? {}
 , ...
 }@attrs:
 
 let
   lib = pkgs.lib;
-  utils = import ./utils.nix { inherit pkgs efi; };
-  libguestfs = pkgs.libguestfs-with-appliance;
+  utils = import ./utils.nix ({ inherit pkgs efi enableTpm; } // attrs);
+  inherit (pkgs) guestfs-tools;
 
   # p7zip on >20.03 has known vulns but we have no better option
   p7zip = pkgs.p7zip.overrideAttrs(old: {
@@ -24,18 +24,8 @@ let
     };
   });
 
-  # bundle
-  bundleInstaller = pkgs.runCommandNoCC "win-bundle-installer.exe" {} ''
-    mkdir bundle
-    cd bundle
-    cp ${bundle/go.mod} go.mod
-    cp ${bundle/main.go} main.go
-    env HOME=$(mktemp -d) GOOS=windows GOARCH=amd64 ${pkgs.go}/bin/go build
-    mv bundle.exe $out
-  '';
-
   runQemuCommand = name: command: (
-    pkgs.runCommandNoCC name { buildInputs = [ p7zip utils.qemu libguestfs ]; }
+    pkgs.runCommand name { buildInputs = [ p7zip utils.qemu guestfs-tools ]; }
       (
         ''
           if ! test -f; then
@@ -47,15 +37,14 @@ let
   );
 
   windowsIso = if windowsImage != null then windowsImage else pkgs.requireFile rec {
-    name = "xks67i4frg8k7rmlv5298aac0s4n5nih-RESTRICTDIST-release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso";
-    sha256 = "0fmw30g7959bh47z8xi5pmmxq4kb0sxs1qxf51il3xy2f2py33v6";
-    message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO";
+    name = "Win11_22H2_English_x64v2.iso";
+    sha256 = "0xhhxy47yaf1jsfmskym5f65hljw8q0aqs70my86m402i6dsjnc0";
+    message = "Get disk image ${name} from https://www.microsoft.com/en-us/software-download/windows11/";
   };
 
-  # stable as of 2021-04-08
   virtioWinIso = pkgs.fetchurl {
-    url = "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.185-2/virtio-win-0.1.185.iso";
-    sha256 = "11n3kjyawiwacmi3jmfmn311g9xvfn6m0ccdwnjxw1brzb4kqaxg";
+    url = "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.229-1/virtio-win.iso";
+    sha256 = "1q5vrcd70kya4nhlbpxmj7mwmwra1hm3x7w8rzkawpk06kg0v2n8";
   };
 
   openSshServerPackage = pkgs.fetchurl {
@@ -65,7 +54,7 @@ let
 
   autounattend = import ./autounattend.nix (
     attrs // {
-      inherit pkgs;
+      inherit pkgs enableTpm;
       users = users // {
         wfvm = {
           password = "1234";
@@ -78,6 +67,8 @@ let
     }
   );
 
+  bundleInstaller = pkgs.callPackage ./bundle {};
+
   # Packages required to drive installation of other packages
   bootstrapPkgs =
     runQemuCommand "bootstrap-win-pkgs.img" ''
@@ -118,7 +109,7 @@ let
       ''
         #!${pkgs.runtimeShell}
         set -euxo pipefail
-        export PATH=${lib.makeBinPath [ p7zip utils.qemu libguestfs pkgs.wimlib ]}:$PATH
+        export PATH=${lib.makeBinPath [ p7zip utils.qemu guestfs-tools pkgs.wimlib ]}:$PATH
 
         # Create a bootable "USB" image
         # Booting in USB mode circumvents the "press any key to boot from cdrom" prompt
@@ -129,7 +120,7 @@ let
         7z x -y ${windowsIso} -owin
 
         # Split image so it fits in FAT32 partition
-        wimsplit win/sources/install.wim win/sources/install.swm 4090
+        wimsplit win/sources/install.wim win/sources/install.swm 4070
         rm win/sources/install.wim
 
         cp ${autounattend.autounattendXML} win/autounattend.xml
@@ -141,18 +132,20 @@ let
         ''}
         rm -rf win
 
+        ${utils.tpmStartCommands}
+
         # Qemu requires files to be rw
         qemu-img create -f qcow2 c.img ${diskImageSize}
         qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams}
       ''
   );
 
-  baseImage = pkgs.runCommandNoCC "RESTRICTDIST-windows.img" {} ''
+  baseImage = pkgs.runCommand "RESTRICTDIST-windows.img" {} ''
     ${installScript}
     mv c.img $out
   '';
 
-  finalImage = builtins.foldl' (acc: v: pkgs.runCommandNoCC "RESTRICTDIST-${v.name}.img" {
+  finalImage = builtins.foldl' (acc: v: pkgs.runCommand "RESTRICTDIST-${v.name}.img" {
     buildInputs = with utils; [
       qemu win-wait win-exec win-put
     ] ++ (v.buildInputs or []);
@@ -167,8 +160,11 @@ let
     ]);
 
   in ''
+    set -x
+    ${utils.tpmStartCommands}
+
     # Create an image referencing the previous image in the chain
-    qemu-img create -f qcow2 -b ${acc} c.img
+    qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img
 
     set -m
     qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams} &