Bartosz Stebel | c726798 | 2020-12-10 15:38:29 +0100 | [diff] [blame] | 1 | # This module runs the RIPE anchor VM in a bare qemu. |
| 2 | # It's expected that a storage LV is created independently and passed as blkdev. |
| 3 | { config, pkgs, lib, ... }: |
| 4 | |
| 5 | with lib; |
| 6 | |
| 7 | let |
| 8 | cfg = config.hscloud.anchorvm; |
| 9 | |
| 10 | in { |
| 11 | options.hscloud.anchorvm = { |
| 12 | blkdev = mkOption { |
| 13 | type = types.str; |
| 14 | description = "Root block device"; |
| 15 | }; |
| 16 | bridge = mkOption { |
| 17 | type = types.str; |
| 18 | description = "bridge interface"; |
| 19 | }; |
| 20 | ram = mkOption { |
| 21 | type = types.int; |
| 22 | description = "memory allocated to the vm"; |
| 23 | default = 2048; |
| 24 | }; |
| 25 | }; |
| 26 | |
Bartosz Stebel | 67c8618 | 2020-12-18 16:39:52 +0100 | [diff] [blame] | 27 | config.environment = { |
| 28 | # qemu-bridge-helper (needed for -nic bridge) requires this file to exist. |
| 29 | # We're running as root and don't care about the ACL functionality, so just |
| 30 | # make a minimal file that allows the interface. |
| 31 | # This snippet stolen from nixpkgs//libvirtd.nix |
| 32 | etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: |
| 33 | "allow ${e}") [cfg.bridge]; |
| 34 | }; |
| 35 | |
Bartosz Stebel | c726798 | 2020-12-10 15:38:29 +0100 | [diff] [blame] | 36 | config.systemd.services.anchorvm = { |
| 37 | wantedBy = [ "multi-user.target" ]; |
| 38 | after = [ |
| 39 | "network.target" |
| 40 | ]; |
| 41 | serviceConfig = { |
| 42 | Type = "simple"; |
| 43 | # spawn=allow needed for bridge helper |
| 44 | ExecStart = ''${pkgs.qemu}/bin/qemu-kvm \ |
| 45 | -nographic -m ${toString cfg.ram} -smp 2 \ |
| 46 | -drive file=${cfg.blkdev},if=virtio,cache=none,format=raw \ |
| 47 | -nic bridge,br=${cfg.bridge},model=virtio-net-pci \ |
| 48 | -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=allow,resourcecontrol=deny |
| 49 | ''; |
| 50 | Restart = "always"; |
| 51 | }; |
| 52 | }; |
| 53 | } |