Refactor "impermanence"

Signed-off-by: Valentin Kharin <[email protected]>
tiiuae · Aug 19, 2024 · c0e720f · c0e720f
1 parent 5f3163c
commit c0e720f
Show file tree

Hide file tree

Showing 7 changed files with 97 additions and 84 deletions.
diff --git a/modules/common/storagevm/default.nix b/modules/common/storagevm/default.nix
@@ -0,0 +1,57 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ impermanence }:
+{ lib, config, ... }:
+let
+  cfg = config.ghaf.storagevm;
+  mountPath = "/tmp/storagevm";
+in
+{
+  imports = [ impermanence.nixosModules.impermanence ];
+
+  options.ghaf.storagevm = with lib; {
+    enable = mkEnableOption "StorageVM support";
+
+    name = mkOption {
+      description = ''
+        Name of the corresponding directory on the storage virtual machine.
+      '';
+      type = types.str;
+    };
+
+    directories = mkOption {
+      type = listOf (coercedTo str (d: { directory = d; }) userDir);
+      default = [ ];
+      example = [
+        "Downloads"
+        "Music"
+        "Pictures"
+        "Documents"
+        "Videos"
+      ];
+      description = ''
+        Directories to bind mount to
+        persistent storage.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    fileSystems.${mountPath}.neededForBoot = true;
+
+    microvm.shares = [
+      {
+        tag = "hostshare";
+        proto = "virtiofs";
+        securityModel = "passthrough";
+        source = "/storagevm/${cfg.name}";
+        mountPoint = mountPath;
+      }
+    ];
+
+    environment.persistence.${mountPath} = {
+      hideMounts = true;
+      inherit (cfg) directories;
+    };
+  };
+}
diff --git a/modules/flake-module.nix b/modules/flake-module.nix
@@ -22,7 +22,7 @@
     jetpack.imports = [ ./jetpack ];
     jetpack-microvm.imports = [ ./jetpack-microvm ];
     lanzaboote.imports = [ ./lanzaboote ];
-    microvm.imports = [ (import ./microvm { inherit inputs; }) ];
+    microvm.imports = [ ./microvm ];
     polarfire.imports = [ ./polarfire ];
     profiles.imports = [ ./profiles ];
     reference-appvms.imports = [ ./reference/appvms ];

diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
@@ -25,12 +25,14 @@ let
       cid = if vm.cid > 0 then vm.cid else cfg.vsockBaseCID + index;
       appvmConfiguration = {
         imports = [
-          impermanence.nixosModules.impermanence
           (import ./common/vm-networking.nix {
             inherit config lib vmName;
             inherit (vm) macAddress;
             internalIP = index + 100;
           })
+
+          (../../../common/storagevm { inherit impermanence; })
+
           # To push logs to central location
           ../../../common/logging/client.nix
           (

diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
@@ -13,7 +13,6 @@ let
   inherit (import ../../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries;
   guivmBaseConfiguration = {
     imports = [
-      impermanence.nixosModules.impermanence
       (import ./common/vm-networking.nix {
         inherit
           config
@@ -23,6 +22,9 @@ let
           ;
         internalIP = 3;
       })
+
+      (../../../common/storagevm { inherit impermanence; })
+
       # To push logs to central location
       ../../../common/logging/client.nix
       (
@@ -55,6 +57,18 @@ let
             # Logging client configuration
             logging.client.enable = config.ghaf.logging.client.enable;
             logging.client.endpoint = config.ghaf.logging.client.endpoint;
+            storagevm = {
+              enable = true;
+              name = "guivm";
+              directories = [
+                {
+                  directory = "/home/ghaf/";
+                  user = "ghaf";
+                  group = "users";
+                  mode = "u=rwx,g=,o=";
+                }
+              ];
+            };
           };
 
           systemd.services."waypipe-ssh-keygen" =
@@ -81,10 +95,6 @@ let
               };
             };
 
-          fileSystems = {
-            "/tmp/storagevm".neededForBoot = true;
-          };
-
           environment = {
             systemPackages =
               (rmDesktopEntries [
@@ -98,17 +108,6 @@ let
               ++ (lib.optional (
                 config.ghaf.profiles.debug.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable
               ) pkgs.mitmweb-ui);
-            persistence."/tmp/storagevm" = {
-              hideMounts = true;
-              directories = [
-                {
-                  directory = "/home/ghaf/";
-                  user = "ghaf";
-                  group = "users";
-                  mode = "u=rwx,g=,o=";
-                }
-              ];
-            };
           };
 
           time.timeZone = config.time.timeZone;
@@ -139,13 +138,6 @@ let
                 source = "/nix/store";
                 mountPoint = "/nix/.ro-store";
               }
-              {
-                tag = "hostshare";
-                proto = "virtiofs";
-                securityModel = "passthrough";
-                source = "/storagevm/guivm";
-                mountPoint = "/tmp/storagevm";
-              }
             ];
             writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store";
 

diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
@@ -20,7 +20,6 @@ let
 
   netvmBaseConfiguration = {
     imports = [
-      impermanence.nixosModules.impermanence
       (import ./common/vm-networking.nix {
         inherit
           config
@@ -31,6 +30,9 @@ let
         internalIP = 1;
         gateway = [ ];
       })
+
+      (../../../common/storagevm { inherit impermanence; })
+
       # To push logs to central location
       ../../../common/logging/client.nix
       (
@@ -61,6 +63,11 @@ let
             # Logging client configuration
             logging.client.enable = config.ghaf.logging.client.enable;
             logging.client.endpoint = config.ghaf.logging.client.endpoint;
+            storagevm = {
+              enable = true;
+              name = "netvm";
+              directories = [ "/etc/NetworkManager/system-connections/" ];
+            };
           };
 
           time.timeZone = config.time.timeZone;
@@ -78,11 +85,6 @@ let
 
           services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand;
 
-          environment.persistence."/tmp/storagevm" = {
-            hideMounts = true;
-            directories = [ "/etc/NetworkManager/system-connections/" ];
-          };
-
           microvm = {
             optimize.enable = true;
             hypervisor = "qemu";
@@ -93,13 +95,6 @@ let
                   source = "/nix/store";
                   mountPoint = "/nix/.ro-store";
                 }
-                {
-                  tag = "hostshare";
-                  proto = "virtiofs";
-                  securityModel = "passthrough";
-                  source = "/storagevm/netvm";
-                  mountPoint = "/tmp/storagevm";
-                }
               ]
               ++ lib.optionals isGuiVmEnabled [
                 {
@@ -122,12 +117,9 @@ let
             };
           };
 
-          fileSystems = lib.mkMerge [
-            { "/tmp/storagevm".neededForBoot = true; }
-            (lib.mkIf isGuiVmEnabled {
-              ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ];
-            })
-          ];
+          fileSystems = lib.mkIf isGuiVmEnabled {
+            ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ];
+          };
 
           # SSH is very picky about to file permissions and ownership and will
           # accept neither direct path inside /nix/store or symlink that points

diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix
@@ -73,29 +73,14 @@ in
           && (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)
         ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0;
         devices = [ ];
-        shares = [
-          {
-            tag = "hostshare";
-            proto = "virtiofs";
-            securityModel = "passthrough";
-            source = "/storagevm/business";
-            mountPoint = "/tmp/storagevm";
-          }
-        ];
-      };
-
-      fileSystems = {
-        "/tmp/storagevm".neededForBoot = true;
-      };
-
-      environment.persistence."/tmp/storagevm" = {
-        hideMounts = true;
-        users.ghaf = {
-          directories = [ ".config" ];
-        };
       };
 
       ghaf.reference.programs.chromium.enable = true;
+      ghaf.storagevm = {
+        enable = true;
+        name = "business";
+        directories = [ ".config" ];
+      };
 
       # Set default PDF XDG handler
       xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";

diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix
@@ -69,28 +69,13 @@ in
         && (hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)
       ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0;
       microvm.devices = [ ];
-      microvm.shares = [
-        {
-          tag = "hostshare";
-          proto = "virtiofs";
-          securityModel = "passthrough";
-          source = "/storagevm/chromium";
-          mountPoint = "/tmp/storagevm";
-        }
-      ];
-
-      fileSystems = {
-        "/tmp/storagevm".neededForBoot = true;
-      };
-
-      environment.persistence."/tmp/storagevm" = {
-        hideMounts = true;
-        users.ghaf = {
-          directories = [ ".config" ];
-        };
-      };
 
       ghaf.reference.programs.chromium.enable = true;
+      ghaf.storagevm = {
+        enable = true;
+        name = "business";
+        directories = [ ".config" ];
+      };
 
       # Set default PDF XDG handler
       xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop";