lima-vm · FlUxIuS · Apr 10, 2026 · AkihiroSuda · Apr 10, 2026 · AkihiroSuda
diff --git a/pkg/cidata/cloud-config.yaml b/pkg/cidata/cloud-config.yaml
diff --git a/pkg/cidata/cloud-config.yaml b/pkg/cidata/cloud-config.yaml
@@ -0,0 +1,189 @@
+#cloud-config
+# vim:syntax=yaml
+
+growpart:
+  mode: auto
+  devices: ['/']
+
+{{- if eq .OS "FreeBSD" }}
+packages:
+  # boot.sh depends on sudo.
+  # TODO: consider replacing sudo with doas.
+  # FIXME: The hostagent script depends on sudo too.
+  # https://github.com/lima-vm/lima/issues/4594
+  - sudo
+{{- end }}
+
+{{- if .UpgradePackages }}
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+{{- end }}
+
+{{- if or .RosettaEnabled (and .Mounts (or (eq .MountType "9p") (eq .MountType "virtiofs"))) }}
+mounts:
+  {{- if .RosettaEnabled }}{{/* Mount the rosetta volume before systemd-binfmt.service(8) starts */}}
+- [vz-rosetta, /mnt/lima-rosetta, virtiofs, defaults, "0", "0"]
+  {{- end }}
+  {{- if and .Mounts (or (eq .MountType "9p") (eq .MountType "virtiofs")) }}
+    {{- range $m := $.Mounts}}
+- [{{$m.Tag}}, {{$m.MountPoint}}, {{$m.Type}}, "{{$m.Options}}", "0", "0"]
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- if .TimeZone }}
+timezone: {{.TimeZone}}
+{{- end }}
+
+users:
+  - name: "{{.User}}"
+{{- if ne .OS "FreeBSD" }}
+    # nuageinit does not support specifying the UID.
+    # The UID is fixed up in boot.essential.FreeBSD/00-freebsd-user-group.sh
+    uid: "{{.UID}}"
+{{- end }}
+{{- if .Comment }}
+    gecos: {{ printf "%q" .Comment }}
+{{- end }}
+    homedir: "{{.Home}}"
+    shell: {{.Shell}}
+{{- if eq .OS "Darwin" }}
+    {{/* On macOS, the password is not locked so as to allow GUI login. */}}
+    {{/* Since the user can run sudo with their own password, basically we don't need to set up passwordless sudo. */}}
+    {{/* However, it is still configured to allow `/sbin/shutdown -h now` without password, as it is invoked by `limactl stop` for graceful shutdown. */}}
+    {{/* (Why doesn't macOS VM support graceful shutdown?) */}}
+    sudo: ALL=(ALL) NOPASSWD:/sbin/shutdown -h now
+{{- else }}
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    {{- if eq .OS "FreeBSD" }}
+    groups:
+    - wheel
+    doas: permit nopass :wheel
+    {{- end}}
+    lock_passwd: true
+{{- end }}
+{{- if eq .OS "FreeBSD" }}
+    ssh_authorized_keys:
+{{- else }}
+    ssh-authorized-keys:
+{{- end }}
+    {{- range $val := .SSHPubKeys }}
+      - {{ printf "%q" $val }}
+    {{- end }}
+
+{{- if .BootScripts }}
+write_files:
+ - content: |
+      #!/bin/sh
+      set -eux
+      LIMA_CIDATA_MNT="/mnt/lima-cidata"
+      UNAME="$(uname -s)"
+      if [ "${UNAME}" = "Darwin" ]; then
+        LIMA_CIDATA_MNT="/Volumes/cidata"
+        # Should have been mounted automatically
+      elif [ "${UNAME}" = "FreeBSD" ]; then
+        LIMA_CIDATA_DEV="/dev/iso9660/cidata"
+        if [ ! -e "${LIMA_CIDATA_DEV}" ]; then
+          # When the iso is created with `hdiutil` on macOS,
+          # apparently the volume name becomes "CIDATA" not "cidata"
+          LIMA_CIDATA_DEV="/dev/iso9660/CIDATA"
+        fi
+        mkdir -p -m 700 "${LIMA_CIDATA_MNT}"
+        mount_cd9660 -G wheel -U root -m 0700 -o ro,exec "${LIMA_CIDATA_DEV}" "${LIMA_CIDATA_MNT}"
+      elif [ "${UNAME}" = "Linux" ]; then
+        LIMA_CIDATA_DEV="/dev/disk/by-label/cidata"
+        mkdir -p -m 700 "${LIMA_CIDATA_MNT}"
+        mount -o ro,mode=0700,dmode=0700,overriderockperm,exec,uid=0 "${LIMA_CIDATA_DEV}" "${LIMA_CIDATA_MNT}"
+      else
+        echo "Unsupported OS: ${UNAME}" >&2
+        exit 1
+      fi
+      export LIMA_CIDATA_MNT
+      exec "${LIMA_CIDATA_MNT}"/boot.sh
+{{- if or (eq .OS "Darwin") (eq .OS "FreeBSD") }}
+   owner: root:wheel
+{{- else }}
+   owner: root:root
+{{- end }}
+{{- if eq .OS "FreeBSD" }}
+   # nuageinit requires the path to be under an existing directory
+   path: /usr/sbin/lima-freebsd-init.sh
+{{- else }}
+   path: /var/lib/cloud/scripts/per-boot/00-lima.boot.sh
+{{- end }}
+   permissions: '0755'
+{{- if eq .OS "FreeBSD" }}
+  # nuageinit does not run /var/lib/cloud/scripts/per-boot/* scripts
+ - content: |
+      #!/bin/sh
+
+      # PROVIDE: lima_freebsd_init
+      # REQUIRE: DAEMON
+      # BEFORE: LOGIN
+
+      . /etc/rc.subr
+
+      name="lima_freebsd_init"
+      rcvar="lima_freebsd_init_enable"
+      command="/usr/sbin/lima-freebsd-init.sh"
+
+      load_rc_config "$name"
+      run_rc_command "$1"
+   owner: root:wheel
+   path: /etc/rc.d/lima_freebsd_init
+   permissions: '0755'
+ - content: |
+      lima_freebsd_init_enable="YES"
+   owner: root:wheel
+   path: /etc/rc.conf.d/lima_freebsd_init
+   permissions: '0644'
+{{- end }}
+{{- end }}
+
+{{- if .DNSAddresses }}
+# This has no effect on systems using systemd-resolved, but is used
+# on e.g. Alpine to set up /etc/resolv.conf on first boot.
+
+manage_resolv_conf: true
+
+resolv_conf:
+  nameservers:
+  {{- range $ns := $.DNSAddresses }}
+  - {{$ns}}
+  {{- end }}
+{{- end }}
+
+{{- if or .CACerts.RemoveDefaults .CACerts.Trusted }}
+{{ with .CACerts }}
+ca_certs:
+  {{- if .RemoveDefaults }}
+  remove_defaults: {{ .RemoveDefaults }}
+  {{- end }}
+  {{- if .Trusted}}
+  trusted:
+  {{- range $cert := .Trusted }}
+  - |
+    {{- range $line := $cert.Lines }}
+    {{ $line }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- if .BootCmds }}
+bootcmd:
+  {{- range $cmd := $.BootCmds }}
+- |
+  # We need to embed the params.env as a here-doc because /mnt/lima-cidata is not yet mounted
+  while read -r line; do [ -n "$line" ] && export "$line"; done <<'EOF'
+    {{- range $key, $val := $.Param }}
+  PARAM_{{ $key }}={{ $val }}
+    {{- end }}
+  EOF
+    {{- range $line := $cmd.Lines }}
+  {{ $line }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/pkg/driver/qemu/qemu.go b/pkg/driver/qemu/qemu.go
@@ -852,6 +852,9 @@ func Cmdline(ctx context.Context, cfg Config) (exe string, args []string, err er
 		args = append(args, "-device", "virtio-keyboard-pci")
 		args = append(args, "-device", "virtio-"+input+"-pci")
 		args = append(args, "-device", "qemu-xhci,id=usb-bus")
+	} else if *y.USB {
+		// Add USB controller without display for USB device passthrough
+		args = append(args, "-device", "qemu-xhci,id=usb-bus")
 	}
 
 	// Parallel

diff --git a/pkg/limatype/lima_yaml.go b/pkg/limatype/lima_yaml.go
@@ -35,6 +35,7 @@ type LimaYAML struct {
 	Firmware              Firmware      `yaml:"firmware,omitempty" json:"firmware,omitempty"`
 	Audio                 Audio         `yaml:"audio,omitempty" json:"audio,omitempty"`
 	Video                 Video         `yaml:"video,omitempty" json:"video,omitempty"`
+	USB                   *bool         `yaml:"usb,omitempty" json:"usb,omitempty" jsonschema:"nullable"`
-	USB                   *bool         `yaml:"usb,omitempty" json:"usb,omitempty" jsonschema:"nullable"`
+	USB                   USB        `yaml:"usb,omitempty" json:"usb,omitempty" jsonschema:"nullable"`
-	USB                   *bool         `yaml:"usb,omitempty" json:"usb,omitempty" jsonschema:"nullable"`
+	USB                   USB        `yaml:"usb,omitempty" json:"usb,omitempty" jsonschema:"nullable"`
 	Provision             []Provision   `yaml:"provision,omitempty" json:"provision,omitempty"`
 	UpgradePackages       *bool         `yaml:"upgradePackages,omitempty" json:"upgradePackages,omitempty" jsonschema:"nullable"`
 	Containerd            Containerd    `yaml:"containerd,omitempty" json:"containerd,omitempty"`

diff --git a/pkg/limayaml/default.yaml b/pkg/limayaml/default.yaml