[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

{ config, lib, modulesPath, pkgs, ... }:
let
  inherit (lib)
    escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;

  cfg = config.virtualisation.qemu.isolation;

  storeMountPath = if config.virtualisation.writableStore then
    "/nix/.ro-store"
  else
    "/nix/store";

  hostPkgs = config.virtualisation.host.pkgs;

  storeContents =
    hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };

  nixStoreImages = {
    ext4 = "${
        import (modulesPath + "/../lib/make-disk-image.nix") {
          inherit pkgs config lib;
          additionalPaths = [ storeContents ];
          onlyNixStore = true;
          label = "nix-store";
          partitionTableType = "none";
          installBootLoader = false;
          diskSize = "auto";
          additionalSpace = "0M";
          copyChannel = false;
        }
      }/nixos.img";
    erofs = "${
        hostPkgs.runCommand "nix-store-image" { } ''
          mkdir $out
          ${hostPkgs.gnutar}/bin/tar --create \
            --absolute-names \
            --verbatim-files-from \
            --transform 'flags=rSh;s|/nix/store/||' \
            --files-from ${storeContents}/store-paths \
            | ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
              --force-uid=0 \
              --force-gid=0 \
              -L nix-store \
              -U eb176051-bd15-49b7-9e6b-462e0b467019 \
              -T 0 \
              --tar=f \
              $out/nix-store.img
        ''
      }/nix-store.img";
    squashfs =
      "${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
        storeContents = config.virtualisation.additionalPaths;
      }}";
  };

in {
  options = {
    virtualisation.qemu.isolation.nixStoreFilesystemType = mkOption {
      description = ''
        What filesystem to use for the guest's Nix store.

        erofs is more compact than ext4, but less mature.

        squashfs support currently requires a dubious kludge that results in these
        VMs not being able to mount any other squashfs volumes besides the nix store.
      '';
      type = lib.types.enum [ "ext4" "erofs" "squashfs" ];
      default = "ext4";
    };
  };
  config = mkMerge [
    {
      boot.initrd.kernelModules =
        optional (cfg.nixStoreFilesystemType == "erofs") "erofs";

      nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs")
        (final: prev: {
          util-linux = prev.util-linux.overrideAttrs (old: {
            patches = (old.patches or [ ])
              ++ [ ./libblkid-squashfs-nix-store-kludge.patch ];
          });
        });

      fileSystems = mkVMOverride {
        "${storeMountPath}" = {
          fsType = cfg.nixStoreFilesystemType;
          options = [ "ro" ];
          neededForBoot = true;
          label = "nix-store";
        };
      };

      system.build.nixStoreImage =
        nixStoreImages."${cfg.nixStoreFilesystemType}";

      virtualisation = {

        sharedDirectories = mkForce { };

        qemu.drives = [{
          file = config.system.build.nixStoreImage;
          driveExtraOpts = {
            format = "raw";
            read-only = "on";
            werror = "report";
          };
        }];

      };
    }
    (mkIf (cfg.nixStoreFilesystemType == "ext4") {
      # We use this to disable fsck runs on the ext4 nix store image because stage-1
      # fsck crashes (maybe because the device is read-only?), halting boot.
      boot.initrd.checkJournalingFS = false;
    })
  ];
}
Commit	Line	Data
69619e0b SW	1	{ config, lib, modulesPath, pkgs, ... }:
69619e0b SW	2	let
f78c24af	3	inherit (lib)
e4f516e1	4	escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;
f78c24af SW	5
f78c24af SW	6	cfg = config.virtualisation.qemu.isolation;
69619e0b	7
69619e0b SW	8	storeMountPath = if config.virtualisation.writableStore then
	9	"/nix/.ro-store"
	10	else
	11	"/nix/store";
	12
f78c24af	13	hostPkgs = config.virtualisation.host.pkgs;
69619e0b	14
f78c24af SW	15	storeContents =
f78c24af SW	16	hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
68bdafb0	17
f78c24af	18	nixStoreImages = {
a8cf2d3d SW	19	ext4 = "${
	20	import (modulesPath + "/../lib/make-disk-image.nix") {
	21	inherit pkgs config lib;
	22	additionalPaths = [ storeContents ];
	23	onlyNixStore = true;
	24	label = "nix-store";
	25	partitionTableType = "none";
	26	installBootLoader = false;
	27	diskSize = "auto";
	28	additionalSpace = "0M";
	29	copyChannel = false;
	30	}
	31	}/nixos.img";
	32	erofs = "${
	33	hostPkgs.runCommand "nix-store-image" { } ''
	34	mkdir $out
1c40de51 SW	35	${hostPkgs.gnutar}/bin/tar --create \
	36	--absolute-names \
	37	--verbatim-files-from \
	38	--transform 'flags=rSh;s\|/nix/store/\|\|' \
	39	--files-from ${storeContents}/store-paths \
	40	\| ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
	41	--force-uid=0 \
	42	--force-gid=0 \
	43	-L nix-store \
	44	-U eb176051-bd15-49b7-9e6b-462e0b467019 \
	45	-T 0 \
	46	--tar=f \
	47	$out/nix-store.img
a8cf2d3d SW	48	''
	49	}/nix-store.img";
	50	squashfs =
	51	"${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
	52	storeContents = config.virtualisation.additionalPaths;
	53	}}";
f78c24af	54	};
69619e0b	55
f78c24af SW	56	in {
	57	options = {
	58	virtualisation.qemu.isolation.nixStoreFilesystemType = mkOption {
	59	description = ''
	60	What filesystem to use for the guest's Nix store.
69619e0b	61
f78c24af	62	erofs is more compact than ext4, but less mature.
a8cf2d3d SW	63
	64	squashfs support currently requires a dubious kludge that results in these
	65	VMs not being able to mount any other squashfs volumes besides the nix store.
f78c24af	66	'';
a8cf2d3d	67	type = lib.types.enum [ "ext4" "erofs" "squashfs" ];
f78c24af SW	68	default = "ext4";
	69	};
	70	};
	71	config = mkMerge [
	72	{
	73	boot.initrd.kernelModules =
	74	optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
69619e0b	75
a8cf2d3d SW	76	nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs")
	77	(final: prev: {
	78	util-linux = prev.util-linux.overrideAttrs (old: {
	79	patches = (old.patches or [ ])
	80	++ [ ./libblkid-squashfs-nix-store-kludge.patch ];
	81	});
	82	});
	83
f78c24af SW	84	fileSystems = mkVMOverride {
f78c24af SW	85	"${storeMountPath}" = {
f78c24af SW	86	fsType = cfg.nixStoreFilesystemType;
	87	options = [ "ro" ];
	88	neededForBoot = true;
e4f516e1	89	label = "nix-store";
f78c24af	90	};
26efd1b6	91	};
69619e0b	92
f78c24af SW	93	system.build.nixStoreImage =
	94	nixStoreImages."${cfg.nixStoreFilesystemType}";
	95
	96	virtualisation = {
	97
	98	sharedDirectories = mkForce { };
	99
	100	qemu.drives = [{
a8cf2d3d	101	file = config.system.build.nixStoreImage;
f78c24af SW	102	driveExtraOpts = {
	103	format = "raw";
	104	read-only = "on";
	105	werror = "report";
	106	};
	107	}];
	108
	109	};
	110	}
	111	(mkIf (cfg.nixStoreFilesystemType == "ext4") {
	112	# We use this to disable fsck runs on the ext4 nix store image because stage-1
	113	# fsck crashes (maybe because the device is read-only?), halting boot.
	114	boot.initrd.checkJournalingFS = false;
	115	})
	116	];
26efd1b6	117	}