Put squashfs-label patch overlays in a separate file

[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

diff --git a/modules/qemu-vm-isolation.nix b/modules/qemu-vm-isolation.nix
index bdf95e6d852f424ba6bc3264b421480769e1247a..ed6800ef9281aeff3bb62460d78939fb4c768716 100644 (file)
--- a/modules/qemu-vm-isolation.nix
+++ b/modules/qemu-vm-isolation.nix
@@ -1,16 +1,10 @@
 { config, lib, modulesPath, pkgs, ... }:
 let
   inherit (lib)
 { config, lib, modulesPath, pkgs, ... }:
 let
   inherit (lib)

-    escapeShellArg findSingle mkForce mkIf mkMerge mkOption mkVMOverride
-    optional;
+    escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;

 
   cfg = config.virtualisation.qemu.isolation;
 
 
   cfg = config.virtualisation.qemu.isolation;
 

-  lookupDriveDeviceName = driveName: driveList:
-    (findSingle (drive: drive.name == driveName)
-      (throw "Drive ${driveName} not found")
-      (throw "Multiple drives named ${driveName}") driveList).device;
-

   storeMountPath = if config.virtualisation.writableStore then
     "/nix/.ro-store"
   else
   storeMountPath = if config.virtualisation.writableStore then
     "/nix/.ro-store"
   else


@@ -22,37 +16,50 @@ let
     hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
 
   nixStoreImages = {
     hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
 
   nixStoreImages = {

-    ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
-      inherit pkgs config lib;
-      additionalPaths = [ storeContents ];
-      onlyNixStore = true;
-      label = "nix-store";
-      partitionTableType = "none";
-      installBootLoader = false;
-      diskSize = "auto";
-      additionalSpace = "0M";
-      copyChannel = false;
-    };
-    erofs = hostPkgs.runCommand "nix-store-image" { } ''
-      mkdir $out
-      cd ${builtins.storeDir}
-      ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
-        --force-uid=0 \
-        --force-gid=0 \
-        -L nix-store \
-        -U eb176051-bd15-49b7-9e6b-462e0b467019 \
-        -T 0 \
-        --exclude-regex="$(
-          <${storeContents}/store-paths \
-            sed -e 's^.*/^^g' \
-          | cut -c -10 \
-          | ${hostPkgs.python3}/bin/python -c ${
-            escapeShellArg (builtins.readFile
-              (modulesPath + "/virtualisation/includes-to-excludes.py"))
-          } )" \
-        $out/nixos.img \
-        .
-    '';
+    ext4 = "${
+        import (modulesPath + "/../lib/make-disk-image.nix") {
+          inherit pkgs config lib;
+          additionalPaths = [ storeContents ];
+          onlyNixStore = true;
+          label = "nix-store";
+          partitionTableType = "none";
+          installBootLoader = false;
+          diskSize = "auto";
+          additionalSpace = "0M";
+          copyChannel = false;
+        }
+      }/nixos.img";
+    erofs = "${
+        hostPkgs.runCommand "nix-store-image" { } ''
+          mkdir $out
+          ${hostPkgs.gnutar}/bin/tar --create \
+            --absolute-names \
+            --verbatim-files-from \
+            --transform 'flags=rSh;s|/nix/store/||' \
+            --files-from ${storeContents}/store-paths \
+            | ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
+              --force-uid=0 \
+              --force-gid=0 \
+              -L nix-store \
+              -U eb176051-bd15-49b7-9e6b-462e0b467019 \
+              -T 0 \
+              --tar=f \
+              $out/nix-store.img
+        ''
+      }/nix-store.img";
+    squashfs =
+      "${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
+        squashfsTools =
+          (hostPkgs.extend (import ../overlays/squashfs-labels)).squashfsTools.overrideAttrs
+            (old: {
+              buildInputs = (old.buildInputs or [ ]) ++ [ hostPkgs.makeWrapper ];
+              postInstall = (old.postInstall or "") + ''
+                wrapProgram "$out/bin/mksquashfs" \
+                  --append-flags "-label nix-store"
+              '';
+            });
+        storeContents = config.virtualisation.additionalPaths;
+      }}";

   };
 
 in {
   };
 
 in {


@@ -62,8 +69,10 @@ in {
         What filesystem to use for the guest's Nix store.
 
         erofs is more compact than ext4, but less mature.
         What filesystem to use for the guest's Nix store.
 
         erofs is more compact than ext4, but less mature.

+
+        squashfs is best, but requires patches to set the filesystem label.

       '';
       '';

-      type = lib.types.enum [ "ext4" "erofs" ];
+      type = lib.types.enum [ "ext4" "erofs" "squashfs" ];

       default = "ext4";
     };
   };
       default = "ext4";
     };
   };


@@ -72,13 +81,15 @@ in {
       boot.initrd.kernelModules =
         optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
 
       boot.initrd.kernelModules =
         optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
 

+      nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs")
+        (import ../overlays/squashfs-labels);
+

       fileSystems = mkVMOverride {
         "${storeMountPath}" = {
       fileSystems = mkVMOverride {
         "${storeMountPath}" = {

-          device =
-            lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;

           fsType = cfg.nixStoreFilesystemType;
           options = [ "ro" ];
           neededForBoot = true;
           fsType = cfg.nixStoreFilesystemType;
           options = [ "ro" ];
           neededForBoot = true;

+          label = "nix-store";

         };
       };
 
         };
       };
 


@@ -90,8 +101,7 @@ in {
         sharedDirectories = mkForce { };
 
         qemu.drives = [{
         sharedDirectories = mkForce { };
 
         qemu.drives = [{

-          name = "nixstore";
-          file = "${config.system.build.nixStoreImage}/nixos.img";
+          file = config.system.build.nixStoreImage;

           driveExtraOpts = {
             format = "raw";
             read-only = "on";
           driveExtraOpts = {
             format = "raw";
             read-only = "on";