Use bcarnes' squashfs label patches instead of the dubious kludge

[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix
diff --git a/modules/qemu-vm-isolation.nix b/modules/qemu-vm-isolation.nix

index bdf95e6d852f424ba6bc3264b421480769e1247a..5467f29a366de753f2714a6001762d2ae821999b 100644 (file)
--- a/modules/qemu-vm-isolation.nix
+++ b/modules/qemu-vm-isolation.nix
@@ -1,16 +1,10 @@
  { config, lib, modulesPath, pkgs, ... }:
  let
    inherit (lib)
  { config, lib, modulesPath, pkgs, ... }:
  let
    inherit (lib)
-    escapeShellArg findSingle mkForce mkIf mkMerge mkOption mkVMOverride
-    optional;
+    escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional;
  
    cfg = config.virtualisation.qemu.isolation;
  
  
    cfg = config.virtualisation.qemu.isolation;
  
-  lookupDriveDeviceName = driveName: driveList:
-    (findSingle (drive: drive.name == driveName)
-      (throw "Drive ${driveName} not found")
-      (throw "Multiple drives named ${driveName}") driveList).device;
-
    storeMountPath = if config.virtualisation.writableStore then
      "/nix/.ro-store"
    else
    storeMountPath = if config.virtualisation.writableStore then
      "/nix/.ro-store"
    else
@@ -22,37 +16,52 @@ let
      hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
  
    nixStoreImages = {
      hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
  
    nixStoreImages = {
-    ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
-      inherit pkgs config lib;
-      additionalPaths = [ storeContents ];
-      onlyNixStore = true;
-      label = "nix-store";
-      partitionTableType = "none";
-      installBootLoader = false;
-      diskSize = "auto";
-      additionalSpace = "0M";
-      copyChannel = false;
-    };
-    erofs = hostPkgs.runCommand "nix-store-image" { } ''
-      mkdir $out
-      cd ${builtins.storeDir}
-      ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
-        --force-uid=0 \
-        --force-gid=0 \
-        -L nix-store \
-        -U eb176051-bd15-49b7-9e6b-462e0b467019 \
-        -T 0 \
-        --exclude-regex="$(
-          <${storeContents}/store-paths \
-            sed -e 's^.*/^^g' \
-          | cut -c -10 \
-          | ${hostPkgs.python3}/bin/python -c ${
-            escapeShellArg (builtins.readFile
-              (modulesPath + "/virtualisation/includes-to-excludes.py"))
-          } )" \
-        $out/nixos.img \
-        .
-    '';
+    ext4 = "${
+        import (modulesPath + "/../lib/make-disk-image.nix") {
+          inherit pkgs config lib;
+          additionalPaths = [ storeContents ];
+          onlyNixStore = true;
+          label = "nix-store";
+          partitionTableType = "none";
+          installBootLoader = false;
+          diskSize = "auto";
+          additionalSpace = "0M";
+          copyChannel = false;
+        }
+      }/nixos.img";
+    erofs = "${
+        hostPkgs.runCommand "nix-store-image" { } ''
+          mkdir $out
+          ${hostPkgs.gnutar}/bin/tar --create \
+            --absolute-names \
+            --verbatim-files-from \
+            --transform 'flags=rSh;s|/nix/store/||' \
+            --files-from ${storeContents}/store-paths \
+            | ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
+              --force-uid=0 \
+              --force-gid=0 \
+              -L nix-store \
+              -U eb176051-bd15-49b7-9e6b-462e0b467019 \
+              -T 0 \
+              --tar=f \
+              $out/nix-store.img
+        ''
+      }/nix-store.img";
+    squashfs =
+      "${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
+        squashfsTools = hostPkgs.squashfsTools.overrideAttrs (old: {
+          # We patch in support for squashfs labels because
+          # https://github.com/NixOS/nixpkgs/pull/236656 requires filesystems to have labels and
+          # https://github.com/plougher/squashfs-tools/issues/59 squashfs doesn't support labels
+          patches = (old.patches or []) ++ [ ./squashfs-tools-label.patch ];
+          buildInputs = (old.buildInputs or []) ++ [ hostPkgs.makeWrapper ];
+          postInstall = (old.postInstall or "") + ''
+            wrapProgram "$out/bin/mksquashfs" \
+              --append-flags "-label nix-store"
+          '';
+        });
+        storeContents = config.virtualisation.additionalPaths;
+      }}";
    };
  
  in {
    };
  
  in {
@@ -62,8 +71,10 @@ in {
          What filesystem to use for the guest's Nix store.
  
          erofs is more compact than ext4, but less mature.
          What filesystem to use for the guest's Nix store.
  
          erofs is more compact than ext4, but less mature.
+
+        squashfs is best, but requires patches to set the filesystem label.
        '';
        '';
-      type = lib.types.enum [ "ext4" "erofs" ];
+      type = lib.types.enum [ "ext4" "erofs" "squashfs" ];
        default = "ext4";
      };
    };
        default = "ext4";
      };
    };
@@ -72,13 +83,22 @@ in {
        boot.initrd.kernelModules =
          optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
  
        boot.initrd.kernelModules =
          optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
  
+      nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs")
+        (final: prev: {
+          util-linux = prev.util-linux.overrideAttrs (old: {
+            # We patch in support for squashfs labels because
+            # https://github.com/NixOS/nixpkgs/pull/236656 requires filesystems to have labels and
+            # https://github.com/plougher/squashfs-tools/issues/59 squashfs doesn't support labels
+            patches = (old.patches or [ ]) ++ [ ./util-linux-squashfs-label.patch ];
+          });
+        });
+
        fileSystems = mkVMOverride {
          "${storeMountPath}" = {
        fileSystems = mkVMOverride {
          "${storeMountPath}" = {
-          device =
-            lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
            fsType = cfg.nixStoreFilesystemType;
            options = [ "ro" ];
            neededForBoot = true;
            fsType = cfg.nixStoreFilesystemType;
            options = [ "ro" ];
            neededForBoot = true;
+          label = "nix-store";
          };
        };
  
          };
        };
  
@@ -90,8 +110,7 @@ in {
          sharedDirectories = mkForce { };
  
          qemu.drives = [{
          sharedDirectories = mkForce { };
  
          qemu.drives = [{
-          name = "nixstore";
-          file = "${config.system.build.nixStoreImage}/nixos.img";
+          file = config.system.build.nixStoreImage;
            driveExtraOpts = {
              format = "raw";
              read-only = "on";
            driveExtraOpts = {
              format = "raw";
              read-only = "on";