Isolate NixOS QEMU VMs from each other and from the host by using a
-squashfs for the VM's /nix/store that contains only the VM's dependencies
+private /nix/store image that contains only the VM's dependencies
(like the installer has) rather than a virtio mount of the host's entire
/nix/store.
in {
- boot.initrd.availableKernelModules = [ "squashfs" ];
-
fileSystems = mkVMOverride {
"${storeMountPath}" = {
device =
lookupDriveDeviceName "nixstore" config.virtualisation.qemu.drives;
- fsType = "squashfs";
+ fsType = "ext4";
options = [ "ro" ];
neededForBoot = true;
};
};
- system.build.squashfsStore =
- pkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
- storeContents = config.virtualisation.additionalPaths;
+ # We use this to disable fsck runs on the ext4 nix store image because stage-1
+ # fsck crashes (maybe because the device is read-only?), halting boot.
+ boot.initrd.checkJournalingFS = false;
+
+ system.build.nixStoreImage =
+ import (modulesPath + "/../lib/make-disk-image.nix") {
+ inherit pkgs config lib;
+ additionalPaths = [
+ (config.virtualisation.host.pkgs.closureInfo {
+ rootPaths = config.virtualisation.additionalPaths;
+ })
+ ];
+ onlyNixStore = true;
+ label = "nix-store";
+ partitionTableType = "none";
+ installBootLoader = false;
+ diskSize = "auto";
+ additionalSpace = "0M";
+ copyChannel = false;
};
virtualisation = {
qemu.drives = [{
name = "nixstore";
- file = "${config.system.build.squashfsStore}";
+ file = "${config.system.build.nixStoreImage}/nixos.img";
driveExtraOpts = {
format = "raw";
read-only = "on";
projects / nixos-qemu-vm-isolation / commitdiff