forked from hswaw/hscloud
54 lines
1.5 KiB
Nix
54 lines
1.5 KiB
Nix
# This module runs the RIPE anchor VM in a bare qemu.
|
|
# It's expected that a storage LV is created independently and passed as blkdev.
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.hscloud.anchorvm;
|
|
|
|
in {
|
|
options.hscloud.anchorvm = {
|
|
blkdev = mkOption {
|
|
type = types.str;
|
|
description = "Root block device";
|
|
};
|
|
bridge = mkOption {
|
|
type = types.str;
|
|
description = "bridge interface";
|
|
};
|
|
ram = mkOption {
|
|
type = types.int;
|
|
description = "memory allocated to the vm";
|
|
default = 2048;
|
|
};
|
|
};
|
|
|
|
config.environment = {
|
|
# qemu-bridge-helper (needed for -nic bridge) requires this file to exist.
|
|
# We're running as root and don't care about the ACL functionality, so just
|
|
# make a minimal file that allows the interface.
|
|
# This snippet stolen from nixpkgs//libvirtd.nix
|
|
etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e:
|
|
"allow ${e}") [cfg.bridge];
|
|
};
|
|
|
|
config.systemd.services.anchorvm = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [
|
|
"network.target"
|
|
];
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
# spawn=allow needed for bridge helper
|
|
ExecStart = ''${pkgs.qemu}/bin/qemu-kvm \
|
|
-nographic -m ${toString cfg.ram} -smp 2 \
|
|
-drive file=${cfg.blkdev},if=virtio,cache=none,format=raw \
|
|
-nic bridge,br=${cfg.bridge},model=virtio-net-pci \
|
|
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=allow,resourcecontrol=deny
|
|
'';
|
|
Restart = "always";
|
|
};
|
|
};
|
|
}
|