# This module runs the RIPE anchor VM in a bare qemu.
# It's expected that a storage LV is created independently and passed as blkdev.
{ config, pkgs, lib, ... }:

with lib;

let
  cfg = config.hscloud.anchorvm;

in {
  options.hscloud.anchorvm = {
    blkdev = mkOption {
      type = types.str;
      description = "Root block device";
    };
    bridge = mkOption {
      type = types.str;
      description = "bridge interface";
    };
    ram = mkOption {
      type = types.int;
      description = "memory allocated to the vm";
      default = 2048;
    };
  };

  config.environment = {
    # qemu-bridge-helper (needed for -nic bridge) requires this file to exist.
    # We're running as root and don't care about the ACL functionality, so just
    # make a minimal file that allows the interface.
    # This snippet stolen from nixpkgs//libvirtd.nix
    etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e:
      "allow ${e}") [cfg.bridge];
  };

  config.systemd.services.anchorvm = {
    wantedBy = [ "multi-user.target" ];
    after = [
      "network.target"
    ];
    serviceConfig = {
      Type = "simple";
      # spawn=allow needed for bridge helper
      ExecStart = ''${pkgs.qemu}/bin/qemu-kvm \
        -nographic -m ${toString cfg.ram} -smp 2 \
        -drive file=${cfg.blkdev},if=virtio,cache=none,format=raw \
        -nic bridge,br=${cfg.bridge},model=virtio-net-pci \
        -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=allow,resourcecontrol=deny
      '';
      Restart = "always";
    };
  };
}