kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

[run-vm] use securityModel mapped to allow mounting /var 9p share

Browse Source
This commit is contained in:
kalipso
2025-01-20 15:43:03 +01:00
parent a6b1994938
commit e102d3fb94
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
outputs.nix
View File

@@ -29,8 +29,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
] ++ pkgs.lib.optionals (options.varPath != "") [ ] ++ pkgs.lib.optionals (options.varPath != "") [
{ {
source = "${options.varPath}"; source = "${options.varPath}";
mountPoint = "/var/lib"; securityModel = "mapped";
tag = "varlib"; mountPoint = "/var";
tag = "var";
} }
]); ]);
interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -84,7 +85,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules { buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules {
modules = [ modules = [
(vmMicroVMOverwrites { withNetworking = networking; varPath = "${varPath}"; }) (vmMicroVMOverwrites host { withNetworking = networking; varPath = "${varPath}"; })
(if sopsDummy then (vmSopsOverwrites host) else {}) (if sopsDummy then (vmSopsOverwrites host) else {})
(if disableDisko then vmDiskoOverwrites else {}) (if disableDisko then vmDiskoOverwrites else {})
] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [
@@ -153,7 +154,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
echo "--networking setup interfaces. requires root and hostbridge enabled on the host" echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
echo "--dummy-secrets run vm with dummy sops secrets" echo "--dummy-secrets run vm with dummy sops secrets"
echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
echo "--varlib path to directory that should be shared as /var/lib. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
exit 1 exit 1
} }
@@ -177,7 +178,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
--networking) NETWORK=true ;; --networking) NETWORK=true ;;
--dummy-secrets) DUMMY_SECRETS=true ;; --dummy-secrets) DUMMY_SECRETS=true ;;
--no-disko) NO_DISKO=true ;; --no-disko) NO_DISKO=true ;;
--varlib) --var)
if [[ -n "$2" && ! "$2" =~ ^- ]]; then if [[ -n "$2" && ! "$2" =~ ^- ]]; then
VAR_PATH="$2" VAR_PATH="$2"
shift shift