[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

{ config, lib, modulesPath, pkgs, ... }:
let
  inherit (lib)
    escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;

  cfg = config.virtualisation.qemu.isolation;

  storeMountPath = if config.virtualisation.writableStore then
    "/nix/.ro-store"
  else
    "/nix/store";

  hostPkgs = config.virtualisation.host.pkgs;

  storeContents =
    hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };

  nixStoreImages = {
    ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
      inherit pkgs config lib;
      additionalPaths = [ storeContents ];
      onlyNixStore = true;
      label = "nix-store";
      partitionTableType = "none";
      installBootLoader = false;
      diskSize = "auto";
      additionalSpace = "0M";
      copyChannel = false;
    };
    erofs = hostPkgs.runCommand "nix-store-image" { } ''
      mkdir $out
      cd ${builtins.storeDir}
      ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
        --force-uid=0 \
        --force-gid=0 \
        -L nix-store \
        -U eb176051-bd15-49b7-9e6b-462e0b467019 \
        -T 0 \
        --exclude-regex="$(
          <${storeContents}/store-paths \
            sed -e 's^.*/^^g' \
          | cut -c -10 \
          | ${hostPkgs.python3}/bin/python -c ${
            escapeShellArg (builtins.readFile
              (modulesPath + "/virtualisation/includes-to-excludes.py"))
          } )" \
        $out/nixos.img \
        .
    '';
  };

in {
  options = {
    virtualisation.qemu.isolation.nixStoreFilesystemType = mkOption {
      description = ''
        What filesystem to use for the guest's Nix store.

        erofs is more compact than ext4, but less mature.
      '';
      type = lib.types.enum [ "ext4" "erofs" ];
      default = "ext4";
    };
  };
  config = mkMerge [
    {
      boot.initrd.kernelModules =
        optional (cfg.nixStoreFilesystemType == "erofs") "erofs";

      fileSystems = mkVMOverride {
        "${storeMountPath}" = {
          fsType = cfg.nixStoreFilesystemType;
          options = [ "ro" ];
          neededForBoot = true;
          label = "nix-store";
        };
      };

      system.build.nixStoreImage =
        nixStoreImages."${cfg.nixStoreFilesystemType}";

      virtualisation = {

        sharedDirectories = mkForce { };

        qemu.drives = [{
          file = "${config.system.build.nixStoreImage}/nixos.img";
          driveExtraOpts = {
            format = "raw";
            read-only = "on";
            werror = "report";
          };
        }];

      };
    }
    (mkIf (cfg.nixStoreFilesystemType == "ext4") {
      # We use this to disable fsck runs on the ext4 nix store image because stage-1
      # fsck crashes (maybe because the device is read-only?), halting boot.
      boot.initrd.checkJournalingFS = false;
    })
  ];
}
Commit	Line	Data
69619e0b SW	1	{ config, lib, modulesPath, pkgs, ... }:
69619e0b SW	2	let
f78c24af	3	inherit (lib)
e4f516e1	4	escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;
f78c24af SW	5
f78c24af SW	6	cfg = config.virtualisation.qemu.isolation;
69619e0b	7
69619e0b SW	8	storeMountPath = if config.virtualisation.writableStore then
	9	"/nix/.ro-store"
	10	else
	11	"/nix/store";
	12
f78c24af	13	hostPkgs = config.virtualisation.host.pkgs;
69619e0b	14
f78c24af SW	15	storeContents =
f78c24af SW	16	hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
68bdafb0	17
f78c24af SW	18	nixStoreImages = {
f78c24af SW	19	ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
68bdafb0	20	inherit pkgs config lib;
f78c24af	21	additionalPaths = [ storeContents ];
68bdafb0 SW	22	onlyNixStore = true;
	23	label = "nix-store";
	24	partitionTableType = "none";
	25	installBootLoader = false;
	26	diskSize = "auto";
	27	additionalSpace = "0M";
	28	copyChannel = false;
26efd1b6	29	};
f78c24af SW	30	erofs = hostPkgs.runCommand "nix-store-image" { } ''
	31	mkdir $out
	32	cd ${builtins.storeDir}
	33	${hostPkgs.erofs-utils}/bin/mkfs.erofs \
	34	--force-uid=0 \
	35	--force-gid=0 \
	36	-L nix-store \
	37	-U eb176051-bd15-49b7-9e6b-462e0b467019 \
	38	-T 0 \
	39	--exclude-regex="$(
	40	<${storeContents}/store-paths \
	41	sed -e 's^.*/^^g' \
	42	\| cut -c -10 \
	43	\| ${hostPkgs.python3}/bin/python -c ${
	44	escapeShellArg (builtins.readFile
	45	(modulesPath + "/virtualisation/includes-to-excludes.py"))
	46	} )" \
	47	$out/nixos.img \
	48	.
	49	'';
	50	};
69619e0b	51
f78c24af SW	52	in {
	53	options = {
	54	virtualisation.qemu.isolation.nixStoreFilesystemType = mkOption {
	55	description = ''
	56	What filesystem to use for the guest's Nix store.
69619e0b	57
f78c24af SW	58	erofs is more compact than ext4, but less mature.
	59	'';
	60	type = lib.types.enum [ "ext4" "erofs" ];
	61	default = "ext4";
	62	};
	63	};
	64	config = mkMerge [
	65	{
	66	boot.initrd.kernelModules =
	67	optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
69619e0b	68
f78c24af SW	69	fileSystems = mkVMOverride {
f78c24af SW	70	"${storeMountPath}" = {
f78c24af SW	71	fsType = cfg.nixStoreFilesystemType;
	72	options = [ "ro" ];
	73	neededForBoot = true;
e4f516e1	74	label = "nix-store";
f78c24af	75	};
26efd1b6	76	};
69619e0b	77
f78c24af SW	78	system.build.nixStoreImage =
	79	nixStoreImages."${cfg.nixStoreFilesystemType}";
	80
	81	virtualisation = {
	82
	83	sharedDirectories = mkForce { };
	84
	85	qemu.drives = [{
f78c24af SW	86	file = "${config.system.build.nixStoreImage}/nixos.img";
	87	driveExtraOpts = {
	88	format = "raw";
	89	read-only = "on";
	90	werror = "report";
	91	};
	92	}];
	93
	94	};
	95	}
	96	(mkIf (cfg.nixStoreFilesystemType == "ext4") {
	97	# We use this to disable fsck runs on the ext4 nix store image because stage-1
	98	# fsck crashes (maybe because the device is read-only?), halting boot.
	99	boot.initrd.checkJournalingFS = false;
	100	})
	101	];
26efd1b6	102	}