[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

{ config, lib, modulesPath, pkgs, ... }:
let
  inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;

  lookupDriveDeviceName = driveName: driveList:
    (findSingle (drive: drive.name == driveName)
      (throw "Drive ${driveName} not found")
      (throw "Multiple drives named ${driveName}") driveList).device;

  storeMountPath = if config.virtualisation.writableStore then
    "/nix/.ro-store"
  else
    "/nix/store";

in {

  fileSystems = mkVMOverride {
    "${storeMountPath}" = {
      device =
        lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
      fsType = "ext4";
      options = [ "ro" ];
      neededForBoot = true;
    };
  };

  # We use this to disable fsck runs on the ext4 nix store image because stage-1
  # fsck crashes (maybe because the device is read-only?), halting boot.
  boot.initrd.checkJournalingFS = false;

  system.build.nixStoreImage =
    import (modulesPath + "/../lib/make-disk-image.nix") {
      inherit pkgs config lib;
      additionalPaths = [
        (config.virtualisation.host.pkgs.closureInfo {
          rootPaths = config.virtualisation.additionalPaths;
        })
      ];
      onlyNixStore = true;
      label = "nix-store";
      partitionTableType = "none";
      installBootLoader = false;
      diskSize = "auto";
      additionalSpace = "0M";
      copyChannel = false;
    };

  virtualisation = {

    sharedDirectories = mkForce { };

    qemu.drives = [{
      name = "nixstore";
      file = "${config.system.build.nixStoreImage}/nixos.img";
      driveExtraOpts = {
        format = "raw";
        read-only = "on";
        werror = "report";
      };
    }];

  };
}
Commit	Line	Data
69619e0b SW	1	{ config, lib, modulesPath, pkgs, ... }:
69619e0b SW	2	let
a91e7da8	3	inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;
69619e0b SW	4
	5	lookupDriveDeviceName = driveName: driveList:
	6	(findSingle (drive: drive.name == driveName)
	7	(throw "Drive ${driveName} not found")
	8	(throw "Multiple drives named ${driveName}") driveList).device;
	9
	10	storeMountPath = if config.virtualisation.writableStore then
	11	"/nix/.ro-store"
	12	else
	13	"/nix/store";
	14
26efd1b6 SW	15	in {
26efd1b6 SW	16
26efd1b6 SW	17	fileSystems = mkVMOverride {
	18	"${storeMountPath}" = {
	19	device =
	20	lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
68bdafb0	21	fsType = "ext4";
26efd1b6 SW	22	options = [ "ro" ];
26efd1b6 SW	23	neededForBoot = true;
69619e0b	24	};
26efd1b6	25	};
69619e0b	26
68bdafb0 SW	27	# We use this to disable fsck runs on the ext4 nix store image because stage-1
	28	# fsck crashes (maybe because the device is read-only?), halting boot.
	29	boot.initrd.checkJournalingFS = false;
	30
	31	system.build.nixStoreImage =
	32	import (modulesPath + "/../lib/make-disk-image.nix") {
	33	inherit pkgs config lib;
	34	additionalPaths = [
	35	(config.virtualisation.host.pkgs.closureInfo {
	36	rootPaths = config.virtualisation.additionalPaths;
	37	})
	38	];
	39	onlyNixStore = true;
	40	label = "nix-store";
	41	partitionTableType = "none";
	42	installBootLoader = false;
	43	diskSize = "auto";
	44	additionalSpace = "0M";
	45	copyChannel = false;
26efd1b6	46	};
69619e0b	47
26efd1b6	48	virtualisation = {
69619e0b	49
26efd1b6	50	sharedDirectories = mkForce { };
69619e0b	51
26efd1b6 SW	52	qemu.drives = [{
26efd1b6 SW	53	name = "nixstore";
68bdafb0	54	file = "${config.system.build.nixStoreImage}/nixos.img";
26efd1b6 SW	55	driveExtraOpts = {
	56	format = "raw";
	57	read-only = "on";
	58	werror = "report";
	59	};
	60	}];
69619e0b	61
26efd1b6 SW	62	};
26efd1b6 SW	63	}