git.scottworley.com Git - nixos-qemu-vm-isolation/blob - modules/qemu-vm-isolation.nix

   1 { config, lib, modulesPath, pkgs, ... }:
   2 let
   3   inherit (lib) findSingle mkForce mkIf mkMerge mkVMOverride;
   4
   5   lookupDriveDeviceName = driveName: driveList:
   6     (findSingle (drive: drive.name == driveName)
   7       (throw "Drive ${driveName} not found")
   8       (throw "Multiple drives named ${driveName}") driveList).device;
   9
  10   storeMountPath = if config.virtualisation.writableStore then
  11     "/nix/.ro-store"
  12   else
  13     "/nix/store";
  14
  15 in {
  16
  17   boot.initrd.availableKernelModules = [ "squashfs" ];
  18
  19   fileSystems = mkVMOverride {
  20     "${storeMountPath}" = {
  21       device =
  22         lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
  23       fsType = "squashfs";
  24       options = [ "ro" ];
  25       neededForBoot = true;
  26     };
  27   };
  28
  29   system.build.squashfsStore =
  30     pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
  31       storeContents = config.virtualisation.additionalPaths;
  32     };
  33
  34   virtualisation = {
  35
  36     sharedDirectories = mkForce { };
  37
  38     qemu.drives = [{
  39       name = "nixstore";
  40       file = "${config.system.build.squashfsStore}";
  41       driveExtraOpts = {
  42         format = "raw";
  43         read-only = "on";
  44         werror = "report";
  45       };
  46     }];
  47
  48   };
  49 }