blob: 7514b93d3f4fa78958fe27c09aaa28d210900d34 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
{ nixpkgs
, system
, name ? "sandbox"
, user ? "dummy"
, config ? { }
, restrictNetwork ? true # to be replaced with virtualisation.restrictNetwork
, patchQemu9p ? false
}:
with nixpkgs.lib;
let
pkgs = import nixpkgs { inherit system; };
# Patched QEMU to fix slow 9p file share.
# https://linus.schreibt.jetzt/posts/qemu-9p-performance.html
qemu_kvm_patched_9p =
assert !(pkgs.lib.versionAtLeast pkgs.qemu_kvm.version "7.2.0");
pkgs.qemu_kvm.overrideAttrs (o: {
patches = o.patches ++ [ (pkgs.fetchpatch {
name = "qemu-9p-performance-fix.patch";
url = "https://github.com/qemu/qemu/commit/f5265c8.patch";
sha256 = "sha256-PSOv0dhiEq9g6B1uIbs6vbhGr7BQWCtAoLHnk4vnvVg=";
}) ];
});
in rec {
nixosConfigurations.${name} = nixosSystem {
inherit system;
modules = [
(nixpkgs + "/nixos/modules/profiles/minimal.nix")
{ environment.noXlibs = false; } # avoid mass rebuild
(nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
(nixpkgs + "/nixos/modules/virtualisation/qemu-vm.nix")
({ config, lib, pkgs, ... }: {
system.stateVersion = mkDefault pkgs.lib.trivial.release;
networking = {
hostName = name;
firewall.enable = mkDefault false;
};
users.users.${user} = {
isNormalUser = mkDefault true;
password = mkDefault "";
extraGroups = mkDefault [ "wheel" ];
};
security.sudo.wheelNeedsPassword = mkDefault false;
services.getty = {
autologinUser = mkDefault user;
helpLine = mkDefault ''
Press <CTRL-a> <x> to terminate the virtual machine.
The working directory on the host is mounted to /mnt.
'';
};
virtualisation = {
graphics = mkDefault false;
diskImage = mkDefault "$(mktemp).qcow2";
sharedDirectories.host = {
source = "$SHARED_CWD";
target = "/mnt";
};
# Uncomment when this is merged:
# https://github.com/NixOS/nixpkgs/pull/200225
#restrictNetwork = mkDefault true;
qemu.package = mkDefault
(if patchQemu9p then qemu_kvm_patched_9p else pkgs.qemu_kvm);
};
})
config
];
};
packages.${name} = nixosConfigurations.${name}.config.system.build.vm;
apps.${name} = {
type = "app";
program = toString (pkgs.writeShellScript "sandbox-vm" (
(pkgs.lib.optionalString restrictNetwork ''
# Isolate from network
# Stopgap solution until this is merged:
# https://github.com/NixOS/nixpkgs/pull/200225
QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
export QEMU_NET_OPTS
'') + ''
# Save current directory for mounting in VM
SHARED_CWD=$PWD
export SHARED_CWD
${packages.${name}}/bin/run-${name}-vm
reset
echo "Exited virtual machine."
''));
};
}
|