| # This module runs the RIPE anchor VM in a bare qemu. |
| # It's expected that a storage LV is created independently and passed as blkdev. |
| { config, pkgs, lib, ... }: |
| |
| with lib; |
| |
| let |
| cfg = config.hscloud.anchorvm; |
| |
| in { |
| options.hscloud.anchorvm = { |
| blkdev = mkOption { |
| type = types.str; |
| description = "Root block device"; |
| }; |
| bridge = mkOption { |
| type = types.str; |
| description = "bridge interface"; |
| }; |
| ram = mkOption { |
| type = types.int; |
| description = "memory allocated to the vm"; |
| default = 2048; |
| }; |
| }; |
| |
| config.environment = { |
| # qemu-bridge-helper (needed for -nic bridge) requires this file to exist. |
| # We're running as root and don't care about the ACL functionality, so just |
| # make a minimal file that allows the interface. |
| # This snippet stolen from nixpkgs//libvirtd.nix |
| etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: |
| "allow ${e}") [cfg.bridge]; |
| }; |
| |
| config.systemd.services.anchorvm = { |
| wantedBy = [ "multi-user.target" ]; |
| after = [ |
| "network.target" |
| ]; |
| serviceConfig = { |
| Type = "simple"; |
| # spawn=allow needed for bridge helper |
| ExecStart = ''${pkgs.qemu}/bin/qemu-kvm \ |
| -nographic -m ${toString cfg.ram} -smp 2 \ |
| -drive file=${cfg.blkdev},if=virtio,cache=none,format=raw \ |
| -nic bridge,br=${cfg.bridge},model=virtio-net-pci \ |
| -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=allow,resourcecontrol=deny |
| ''; |
| Restart = "always"; |
| }; |
| }; |
| } |