Test impermanence framework

tiiuae · Aug 2, 2024 · a5fe280 · a5fe280
1 parent c7eab7f
commit a5fe280
Show file tree

Hide file tree

Showing 8 changed files with 91 additions and 7 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -125,6 +125,10 @@
         flake-compat.follows = "flake-compat";
       };
     };
+
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
   };
 
   outputs = inputs @ {flake-parts, ...}: let

diff --git a/modules/flake-module.nix b/modules/flake-module.nix
@@ -21,6 +21,7 @@
     jetpack.imports = [./jetpack];
     jetpack-microvm.imports = [./jetpack-microvm];
     lanzaboote.imports = [./lanzaboote];
+    microvm.imports = [(import ./microvm {inherit inputs;})];
     polarfire.imports = [./polarfire];
     profiles.imports = [./profiles];
     reference-appvms.imports = [./reference/appvms];

diff --git a/modules/microvm/flake-module.nix b/modules/microvm/flake-module.nix
@@ -5,12 +5,12 @@
     microvm.imports = [
       inputs.microvm.nixosModules.host
       ./virtualization/microvm/microvm-host.nix
-      ./virtualization/microvm/netvm.nix
+      (import ./virtualization/microvm/netvm.nix {inherit (inputs) impermanence;})
       ./virtualization/microvm/adminvm.nix
       ./virtualization/microvm/idsvm/idsvm.nix
       ./virtualization/microvm/idsvm/mitmproxy
-      ./virtualization/microvm/appvm.nix
-      ./virtualization/microvm/guivm.nix
+      (import ./virtualization/microvm/appvm.nix {inherit (inputs) impermanence;})
+      (import ./virtualization/microvm/guivm.nix {inherit (inputs) impermanence;})
       ./virtualization/microvm/audiovm.nix
       ./virtualization/microvm/modules.nix
       ./networking.nix

diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
@@ -1,6 +1,6 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{
+{impermanence}: {
   config,
   lib,
   pkgs,
@@ -27,6 +27,7 @@
       else cfg.vsockBaseCID + index;
     appvmConfiguration = {
       imports = [
+          impermanence.nixosModules.impermanence
         (import ./common/vm-networking.nix {
           inherit config lib vmName;
           inherit (vm) macAddress;

diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
@@ -1,6 +1,6 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{
+{impermanence}: {
   config,
   lib,
   pkgs,
@@ -11,6 +11,7 @@
   inherit (import ../../../../lib/launcher.nix {inherit pkgs lib;}) rmDesktopEntries;
   guivmBaseConfiguration = {
     imports = [
+      impermanence.nixosModules.impermanence
       (import ./common/vm-networking.nix {
         inherit config lib vmName macAddress;
         internalIP = 3;
@@ -72,6 +73,10 @@
           };
         };
 
+        fileSystems = {
+          "/tmp/storagevm".neededForBoot = true;
+        };
+
         environment = {
           systemPackages =
             (rmDesktopEntries [
@@ -83,6 +88,13 @@
               pkgs.pamixer
             ]
             ++ (lib.optional (config.ghaf.profiles.debug.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable) pkgs.mitmweb-ui);
+            persistence."/tmp/storagevm" = {
+              hideMounts = true;
+              directories = [
+                { directory = "/home/ghaf/"; user = "ghaf"; group = "users"; mode = "u=rwx,g=,o="; }
+              ];
+          };
+
         };
 
         time.timeZone = config.time.timeZone;
@@ -113,6 +125,13 @@
               source = "/nix/store";
               mountPoint = "/nix/.ro-store";
             }
+            {
+              tag = "hostshare";
+              proto = "virtiofs";
+              securityModel = "passthrough";
+              source = "/storagevm/guivm";
+              mountPoint = "/tmp/storagevm";
+            }
           ];
           writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store";
 

diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
@@ -1,6 +1,6 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{
+{impermanence}: {
   config,
   lib,
   pkgs,
@@ -18,6 +18,7 @@
 
   netvmBaseConfiguration = {
     imports = [
+      impermanence.nixosModules.impermanence
       (import ./common/vm-networking.nix {
         inherit config lib vmName macAddress;
         internalIP = 1;
@@ -69,6 +70,13 @@
 
         services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand;
 
+        environment.persistence."/tmp/storagevm" = {
+          hideMounts = true;
+          directories = [
+            "/etc/NetworkManager/system-connections/"
+          ];
+        };
+
         microvm = {
           optimize.enable = true;
           hypervisor = "qemu";
@@ -79,6 +87,13 @@
                 source = "/nix/store";
                 mountPoint = "/nix/.ro-store";
               }
+              {
+                tag = "hostshare";
+                proto = "virtiofs";
+                securityModel = "passthrough";
+                source = "/storagevm/netvm";
+                mountPoint = "/tmp/storagevm";
+              }
             ]
             ++ lib.optionals isGuiVmEnabled [
               {
@@ -101,7 +116,12 @@
           };
         };
 
-        fileSystems = lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = ["ro"];};
+        fileSystems = lib.mkMerge [
+          {
+            "/tmp/storagevm".neededForBoot = true;
+          }
+          (lib.mkIf isGuiVmEnabled {${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = ["ro"];})
+        ];
 
         # SSH is very picky about to file permissions and ownership and will
         # accept neither direct path inside /nix/store or symlink that points

diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix
@@ -5,6 +5,7 @@
   pkgs,
   lib,
   config,
+  #impermanence,
   ...
 }: let
   inherit (lib) hasAttr optionals;
@@ -62,6 +63,28 @@ in {
         && (hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs))
       config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0;
       microvm.devices = [];
+      microvm.shares = [
+        {
+          tag = "hostshare";
+          proto = "virtiofs";
+          securityModel = "passthrough";
+          source = "/storagevm/chromium";
+          mountPoint = "/tmp/storagevm";
+        }
+      ];
+
+      fileSystems = {
+        "/tmp/storagevm".neededForBoot = true;
+      };
+
+     environment.persistence."/tmp/storagevm" = {
+       hideMounts = true;
+       users.ghaf = {
+         directories = [
+           ".config"
+         ];
+        };
+     };
 
       ghaf.reference.programs.chromium.enable = true;