[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

{ config, lib, modulesPath, pkgs, ... }:
let
  inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;

  lookupDriveDeviceName = driveName: driveList:
    (findSingle (drive: drive.name == driveName)
      (throw "Drive ${driveName} not found")
      (throw "Multiple drives named ${driveName}") driveList).device;

  storeMountPath = if config.virtualisation.writableStore then
    "/nix/.ro-store"
  else
    "/nix/store";

in mkMerge [
  {

    boot.initrd.availableKernelModules = [ "squashfs" ];

    fileSystems = mkVMOverride {
      "${storeMountPath}" = {
        device =
          lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
        fsType = "squashfs";
        options = [ "ro" ];
        neededForBoot = true;
      };
    };

    system.build.squashfsStore =
      pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
        storeContents = config.virtualisation.additionalPaths;
      };

    virtualisation = {

      sharedDirectories = mkForce { };

      qemu.drives = [{
        name = "nixstore";
        file = "${config.system.build.squashfsStore}";
        driveExtraOpts = {
          format = "raw";
          read-only = "on";
          werror = "report";
        };
      }];

    };
  }
  (mkIf (lib.version < "23.05") {
    # This should always have been the default.
    virtualisation.bootDevice =
      lookupDriveDeviceName "root" config.virtualisation.qemu.drives;
  })
]
Commit	Line	Data
69619e0b SW	1	{ config, lib, modulesPath, pkgs, ... }:
69619e0b SW	2	let
a91e7da8	3	inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;
69619e0b SW	4
	5	lookupDriveDeviceName = driveName: driveList:
	6	(findSingle (drive: drive.name == driveName)
	7	(throw "Drive ${driveName} not found")
	8	(throw "Multiple drives named ${driveName}") driveList).device;
	9
	10	storeMountPath = if config.virtualisation.writableStore then
	11	"/nix/.ro-store"
	12	else
	13	"/nix/store";
	14
a91e7da8 SW	15	in mkMerge [
a91e7da8 SW	16	{
69619e0b	17
a91e7da8	18	boot.initrd.availableKernelModules = [ "squashfs" ];
69619e0b	19
a91e7da8 SW	20	fileSystems = mkVMOverride {
	21	"${storeMountPath}" = {
	22	device =
	23	lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
	24	fsType = "squashfs";
	25	options = [ "ro" ];
	26	neededForBoot = true;
	27	};
69619e0b SW	28	};
69619e0b SW	29
a91e7da8 SW	30	system.build.squashfsStore =
	31	pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
	32	storeContents = config.virtualisation.additionalPaths;
	33	};
69619e0b	34
a91e7da8	35	virtualisation = {
69619e0b	36
a91e7da8	37	sharedDirectories = mkForce { };
69619e0b	38
a91e7da8 SW	39	qemu.drives = [{
	40	name = "nixstore";
	41	file = "${config.system.build.squashfsStore}";
	42	driveExtraOpts = {
	43	format = "raw";
	44	read-only = "on";
	45	werror = "report";
	46	};
	47	}];
69619e0b	48
a91e7da8 SW	49	};
	50	}
	51	(mkIf (lib.version < "23.05") {
	52	# This should always have been the default.
	53	virtualisation.bootDevice =
	54	lookupDriveDeviceName "root" config.virtualisation.qemu.drives;
	55	})
	56	]