[run-vm] handle edgecase for prometheus mmaped file on 9p share

[run-vm] use securityModel mapped to allow mounting /var 9p share
2025-01-20 15:43:34 +01:00 · 2025-01-20 15:43:03 +01:00
1 changed files with 13 additions and 9 deletions
--- a/outputs.nix
+++ b/outputs.nix
@@ -15,7 +15,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
    pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
    pkgs = nixpkgs.legacyPackages."${system}";

-    vmMicroVMOverwrites = options: {
+    vmMicroVMOverwrites = hostname: options: {
      microvm = {
        mem = pkgs.lib.mkForce 4096;
        hypervisor = pkgs.lib.mkForce "qemu";
@@ -29,8 +29,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
        ] ++ pkgs.lib.optionals (options.varPath != "") [
          {
            source = "${options.varPath}";
-            mountPoint = "/var/lib";
-            tag = "varlib";
+            securityModel = "mapped";
+            mountPoint = "/var";
+            tag = "var";
          }
        ]);
        interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -42,9 +43,12 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems

      fileSystems = {
        "/".fsType = pkgs.lib.mkForce "tmpfs";
-        "/var/lib" = pkgs.lib.mkIf (options.varPath != "") {
-          depends = [ "/var" ];
-        };
+
+        # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
+        # therefore we mount a tmpfs inside the datadir
+        "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
+          fsType = pkgs.lib.mkForce "tmpfs";
+        });
      };

      boot.isContainer = pkgs.lib.mkForce false;
@@ -84,7 +88,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems

    buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules {
        modules = [
-          (vmMicroVMOverwrites { withNetworking = networking; varPath = "${varPath}"; })
+          (vmMicroVMOverwrites host { withNetworking = networking; varPath = "${varPath}"; })
          (if sopsDummy then (vmSopsOverwrites host) else {})
          (if disableDisko then vmDiskoOverwrites else {})
        ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [
@@ -153,7 +157,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
            echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
            echo "--dummy-secrets run vm with dummy sops secrets"
            echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
-            echo "--varlib path to directory that should be shared as /var/lib. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+            echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
            exit 1
        }
        
@@ -177,7 +181,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
                --networking) NETWORK=true ;;
                --dummy-secrets) DUMMY_SECRETS=true ;;
                --no-disko) NO_DISKO=true ;;
-                --varlib) 
+                --var) 
                  if [[ -n "$2" && ! "$2" =~ ^- ]]; then
                      VAR_PATH="$2"
                      shift
Author	SHA1	Message	Date
kalipso	22282c1a2f	[run-vm] handle edgecase for prometheus mmaped file on 9p share All checks were successful Check flake syntax / flake-check (push) Successful in 4m15s Details	2025-01-20 15:43:34 +01:00
kalipso	e102d3fb94	[run-vm] use securityModel mapped to allow mounting /var 9p share	2025-01-20 15:43:03 +01:00