git.scottworley.com Git - nixos-qemu-vm-isolation/blob - modules/qemu-vm-isolation.nix

   1 { config, lib, modulesPath, pkgs, ... }:
   2 let
   3   inherit (lib) findSingle mkForce mkVMOverride;
   4
   5   lookupDriveDeviceName = driveName: driveList:
   6     (findSingle (drive: drive.name == driveName)
   7       (throw "Drive ${driveName} not found")
   8       (throw "Multiple drives named ${driveName}") driveList).device;
   9
  10   storeMountPath = if config.virtualisation.writableStore then
  11     "/nix/.ro-store"
  12   else
  13     "/nix/store";
  14
  15 in {
  16
  17   boot.initrd.availableKernelModules = [ "squashfs" ];
  18
  19   fileSystems = mkVMOverride {
  20     "${storeMountPath}" = {
  21       device =
  22         lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
  23       fsType = "squashfs";
  24       options = [ "ro" ];
  25       neededForBoot = true;
  26     };
  27   };
  28
  29   system.build.squashfsStore =
  30     pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
  31       storeContents = config.virtualisation.pathsInNixDB;
  32     };
  33
  34   virtualisation = {
  35
  36     # This should be the default.
  37     bootDevice = lookupDriveDeviceName "root" config.virtualisation.qemu.drives;
  38
  39     sharedDirectories = mkForce { };
  40
  41     qemu.drives = [{
  42       name = "nixstore";
  43       file = "${config.system.build.squashfsStore}";
  44       driveExtraOpts = {
  45         format = "raw";
  46         read-only = "on";
  47         werror = "report";
  48       };
  49     }];
  50
  51   };
  52 }