git.scottworley.com Git - nixos-qemu-vm-isolation/blob - modules/qemu-vm-isolation.nix

   1 { config, lib, modulesPath, pkgs, ... }:
   2 let
   3   inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;
   4
   5   lookupDriveDeviceName = driveName: driveList:
   6     (findSingle (drive: drive.name == driveName)
   7       (throw "Drive ${driveName} not found")
   8       (throw "Multiple drives named ${driveName}") driveList).device;
   9
  10   storeMountPath = if config.virtualisation.writableStore then
  11     "/nix/.ro-store"
  12   else
  13     "/nix/store";
  14
  15 in mkMerge [
  16   {
  17
  18     boot.initrd.availableKernelModules = [ "squashfs" ];
  19
  20     fileSystems = mkVMOverride {
  21       "${storeMountPath}" = {
  22         device =
  23           lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
  24         fsType = "squashfs";
  25         options = [ "ro" ];
  26         neededForBoot = true;
  27       };
  28     };
  29
  30     system.build.squashfsStore =
  31       pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
  32         storeContents = config.virtualisation.additionalPaths;
  33       };
  34
  35     virtualisation = {
  36
  37       sharedDirectories = mkForce { };
  38
  39       qemu.drives = [{
  40         name = "nixstore";
  41         file = "${config.system.build.squashfsStore}";
  42         driveExtraOpts = {
  43           format = "raw";
  44           read-only = "on";
  45           werror = "report";
  46         };
  47       }];
  48
  49     };
  50   }
  51   (mkIf (lib.version < "23.05") {
  52     # This should always have been the default.
  53     virtualisation.bootDevice =
  54       lookupDriveDeviceName "root" config.virtualisation.qemu.drives;
  55   })
  56 ]