else
"/nix/store";
-in mkMerge [
- {
-
- boot.initrd.availableKernelModules = [ "squashfs" ];
-
- fileSystems = mkVMOverride {
- "${storeMountPath}" = {
- device =
- lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
- fsType = "squashfs";
- options = [ "ro" ];
- neededForBoot = true;
- };
+in {
+
+ fileSystems = mkVMOverride {
+ "${storeMountPath}" = {
+ device =
+ lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
+ fsType = "ext4";
+ options = [ "ro" ];
+ neededForBoot = true;
+ };
+ };
+
+ # We use this to disable fsck runs on the ext4 nix store image because stage-1
+ # fsck crashes (maybe because the device is read-only?), halting boot.
+ boot.initrd.checkJournalingFS = false;
+
+ system.build.nixStoreImage =
+ import (modulesPath + "/../lib/make-disk-image.nix") {
+ inherit pkgs config lib;
+ additionalPaths = [
+ (config.virtualisation.host.pkgs.closureInfo {
+ rootPaths = config.virtualisation.additionalPaths;
+ })
+ ];
+ onlyNixStore = true;
+ label = "nix-store";
+ partitionTableType = "none";
+ installBootLoader = false;
+ diskSize = "auto";
+ additionalSpace = "0M";
+ copyChannel = false;
};
- system.build.squashfsStore =
- pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
- storeContents = config.virtualisation.additionalPaths;
- };
-
- virtualisation = {
+ virtualisation = {
- sharedDirectories = mkForce { };
+ sharedDirectories = mkForce { };
- qemu.drives = [{
- name = "nixstore";
- file = "${config.system.build.squashfsStore}";
- driveExtraOpts = {
- format = "raw";
- read-only = "on";
- werror = "report";
- };
- }];
+ qemu.drives = [{
+ name = "nixstore";
+ file = "${config.system.build.nixStoreImage}/nixos.img";
+ driveExtraOpts = {
+ format = "raw";
+ read-only = "on";
+ werror = "report";
+ };
+ }];
- };
- }
- (mkIf (lib.version < "23.05") {
- # This should always have been the default.
- virtualisation.bootDevice =
- lookupDriveDeviceName "root" config.virtualisation.qemu.drives;
- })
-]
+ };
+}
projects / nixos-qemu-vm-isolation / blobdiff