git.scottworley.com Git - nixos-qemu-vm-isolation/blob - modules/qemu-vm-isolation.nix

   1 { config, lib, modulesPath, pkgs, ... }:
   2 let
   3   inherit (lib)
   4     escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;
   5
   6   cfg = config.virtualisation.qemu.isolation;
   7
   8   storeMountPath = if config.virtualisation.writableStore then
   9     "/nix/.ro-store"
  10   else
  11     "/nix/store";
  12
  13   hostPkgs = config.virtualisation.host.pkgs;
  14
  15   storeContents =
  16     hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
  17
  18   nixStoreImages = {
  19     ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
  20       inherit pkgs config lib;
  21       additionalPaths = [ storeContents ];
  22       onlyNixStore = true;
  23       label = "nix-store";
  24       partitionTableType = "none";
  25       installBootLoader = false;
  26       diskSize = "auto";
  27       additionalSpace = "0M";
  28       copyChannel = false;
  29     };
  30     erofs = hostPkgs.runCommand "nix-store-image" { } ''
  31       mkdir $out
  32       cd ${builtins.storeDir}
  33       ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
  34         --force-uid=0 \
  35         --force-gid=0 \
  36         -L nix-store \
  37         -U eb176051-bd15-49b7-9e6b-462e0b467019 \
  38         -T 0 \
  39         --exclude-regex="$(
  40           <${storeContents}/store-paths \
  41             sed -e 's^.*/^^g' \
  42           | cut -c -10 \
  43           | ${hostPkgs.python3}/bin/python -c ${
  44             escapeShellArg (builtins.readFile
  45               (modulesPath + "/virtualisation/includes-to-excludes.py"))
  46           } )" \
  47         $out/nixos.img \
  48         .
  49     '';
  50   };
  51
  52 in {
  53   options = {
  54     virtualisation.qemu.isolation.nixStoreFilesystemType = mkOption {
  55       description = ''
  56         What filesystem to use for the guest's Nix store.
  57
  58         erofs is more compact than ext4, but less mature.
  59       '';
  60       type = lib.types.enum [ "ext4" "erofs" ];
  61       default = "ext4";
  62     };
  63   };
  64   config = mkMerge [
  65     {
  66       boot.initrd.kernelModules =
  67         optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
  68
  69       fileSystems = mkVMOverride {
  70         "${storeMountPath}" = {
  71           fsType = cfg.nixStoreFilesystemType;
  72           options = [ "ro" ];
  73           neededForBoot = true;
  74           label = "nix-store";
  75         };
  76       };
  77
  78       system.build.nixStoreImage =
  79         nixStoreImages."${cfg.nixStoreFilesystemType}";
  80
  81       virtualisation = {
  82
  83         sharedDirectories = mkForce { };
  84
  85         qemu.drives = [{
  86           file = "${config.system.build.nixStoreImage}/nixos.img";
  87           driveExtraOpts = {
  88             format = "raw";
  89             read-only = "on";
  90             werror = "report";
  91           };
  92         }];
  93
  94       };
  95     }
  96     (mkIf (cfg.nixStoreFilesystemType == "ext4") {
  97       # We use this to disable fsck runs on the ext4 nix store image because stage-1
  98       # fsck crashes (maybe because the device is read-only?), halting boot.
  99       boot.initrd.checkJournalingFS = false;
 100     })
 101   ];
 102 }