X-Git-Url: http://git.scottworley.com/nixos-qemu-vm-isolation/blobdiff_plain/f78c24af1d3a186131093427d1b454600e9aa973..1c40de51f4927c338c3eb981d4aaeafdd6919cac:/modules/qemu-vm-isolation.nix?ds=sidebyside diff --git a/modules/qemu-vm-isolation.nix b/modules/qemu-vm-isolation.nix index bdf95e6..69bacde 100644 --- a/modules/qemu-vm-isolation.nix +++ b/modules/qemu-vm-isolation.nix @@ -1,16 +1,10 @@ { config, lib, modulesPath, pkgs, ... }: let inherit (lib) - escapeShellArg findSingle mkForce mkIf mkMerge mkOption mkVMOverride - optional; + escapeShellArg mkForce mkIf mkMerge mkOption mkVMOverride optional; cfg = config.virtualisation.qemu.isolation; - lookupDriveDeviceName = driveName: driveList: - (findSingle (drive: drive.name == driveName) - (throw "Drive ${driveName} not found") - (throw "Multiple drives named ${driveName}") driveList).device; - storeMountPath = if config.virtualisation.writableStore then "/nix/.ro-store" else @@ -22,37 +16,41 @@ let hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; }; nixStoreImages = { - ext4 = import (modulesPath + "/../lib/make-disk-image.nix") { - inherit pkgs config lib; - additionalPaths = [ storeContents ]; - onlyNixStore = true; - label = "nix-store"; - partitionTableType = "none"; - installBootLoader = false; - diskSize = "auto"; - additionalSpace = "0M"; - copyChannel = false; - }; - erofs = hostPkgs.runCommand "nix-store-image" { } '' - mkdir $out - cd ${builtins.storeDir} - ${hostPkgs.erofs-utils}/bin/mkfs.erofs \ - --force-uid=0 \ - --force-gid=0 \ - -L nix-store \ - -U eb176051-bd15-49b7-9e6b-462e0b467019 \ - -T 0 \ - --exclude-regex="$( - <${storeContents}/store-paths \ - sed -e 's^.*/^^g' \ - | cut -c -10 \ - | ${hostPkgs.python3}/bin/python -c ${ - escapeShellArg (builtins.readFile - (modulesPath + "/virtualisation/includes-to-excludes.py")) - } )" \ - $out/nixos.img \ - . - ''; + ext4 = "${ + import (modulesPath + "/../lib/make-disk-image.nix") { + inherit pkgs config lib; + additionalPaths = [ storeContents ]; + onlyNixStore = true; + label = "nix-store"; + partitionTableType = "none"; + installBootLoader = false; + diskSize = "auto"; + additionalSpace = "0M"; + copyChannel = false; + } + }/nixos.img"; + erofs = "${ + hostPkgs.runCommand "nix-store-image" { } '' + mkdir $out + ${hostPkgs.gnutar}/bin/tar --create \ + --absolute-names \ + --verbatim-files-from \ + --transform 'flags=rSh;s|/nix/store/||' \ + --files-from ${storeContents}/store-paths \ + | ${hostPkgs.erofs-utils}/bin/mkfs.erofs \ + --force-uid=0 \ + --force-gid=0 \ + -L nix-store \ + -U eb176051-bd15-49b7-9e6b-462e0b467019 \ + -T 0 \ + --tar=f \ + $out/nix-store.img + '' + }/nix-store.img"; + squashfs = + "${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") { + storeContents = config.virtualisation.additionalPaths; + }}"; }; in { @@ -62,8 +60,11 @@ in { What filesystem to use for the guest's Nix store. erofs is more compact than ext4, but less mature. + + squashfs support currently requires a dubious kludge that results in these + VMs not being able to mount any other squashfs volumes besides the nix store. ''; - type = lib.types.enum [ "ext4" "erofs" ]; + type = lib.types.enum [ "ext4" "erofs" "squashfs" ]; default = "ext4"; }; }; @@ -72,13 +73,20 @@ in { boot.initrd.kernelModules = optional (cfg.nixStoreFilesystemType == "erofs") "erofs"; + nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs") + (final: prev: { + util-linux = prev.util-linux.overrideAttrs (old: { + patches = (old.patches or [ ]) + ++ [ ./libblkid-squashfs-nix-store-kludge.patch ]; + }); + }); + fileSystems = mkVMOverride { "${storeMountPath}" = { - device = - lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives; fsType = cfg.nixStoreFilesystemType; options = [ "ro" ]; neededForBoot = true; + label = "nix-store"; }; }; @@ -90,8 +98,7 @@ in { sharedDirectories = mkForce { }; qemu.drives = [{ - name = "nixstore"; - file = "${config.system.build.nixStoreImage}/nixos.img"; + file = config.system.build.nixStoreImage; driveExtraOpts = { format = "raw"; read-only = "on";