test: vaultwarden microVM

example/microvm/store-disk.nix

@@ -0,0 +1,124 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  regInfo = pkgs.closureInfo {
+    rootPaths = [ config.system.build.toplevel ];
+  };
+
+  erofs-utils =
+    # Are any extended options specified?
+    if
+      lib.any (
+        with lib;
+        flip elem [
+          "-Ededupe"
+          "-Efragments"
+        ]
+      ) config.microvm.storeDiskErofsFlags
+    then
+      # If extended options are present,
+      # stick to the single-threaded erofs-utils
+      # to not scare anyone with warning messages.
+      pkgs.buildPackages.erofs-utils
+    else
+      # If no extended options are configured,
+      # rebuild mkfs.erofs with multi-threading.
+      pkgs.buildPackages.erofs-utils.overrideAttrs (attrs: {
+        configureFlags = attrs.configureFlags ++ [
+          "--enable-multithreading"
+        ];
+      });
+
+  erofsFlags = builtins.concatStringsSep " " config.microvm.storeDiskErofsFlags;
+  squashfsFlags = builtins.concatStringsSep " " config.microvm.storeDiskSquashfsFlags;
+
+  mkfsCommand =
+    {
+      squashfs = "gensquashfs ${squashfsFlags} -D store --all-root -q $out";
+      erofs = "mkfs.erofs ${erofsFlags} -T 0 --all-root -L nix-store --mount-point=/nix/store $out store";
+    }
+    .${config.microvm.storeDiskType};
+
+  writeClosure = pkgs.writeClosure or pkgs.writeReferencesToFile;
+
+  storeDiskContents = writeClosure (
+    [ config.system.build.toplevel ] ++ lib.optional config.nix.enable regInfo
+  );
+
+in
+{
+  options.microvm.storeDisk =
+    with lib;
+    mkOption {
+      type = types.path;
+      description = ''
+        Generated
+      '';
+    };
+
+  config = lib.mkMerge [
+    (lib.mkIf (config.microvm.guest.enable && config.microvm.storeOnDisk) {
+      # nixos/modules/profiles/hardened.nix forbids erofs.
+      # HACK: Other NixOS modules populate
+      # config.boot.blacklistedKernelModules depending on the boot
+      # filesystems, so checking on that directly would result in an
+      # infinite recursion.
+      microvm.storeDiskType = lib.mkDefault (
+        if config.security.virtualisation.flushL1DataCache == "always" then "squashfs" else "erofs"
+      );
+      boot.initrd.availableKernelModules = [
+        config.microvm.storeDiskType
+      ];
+
+      microvm.storeDisk =
+        pkgs.runCommandLocal "microvm-store-disk.${config.microvm.storeDiskType}"
+          {
+            nativeBuildInputs = [
+              pkgs.buildPackages.time
+              pkgs.buildPackages.bubblewrap
+              {
+                squashfs = pkgs.buildPackages.squashfs-tools-ng;
+                erofs = erofs-utils;
+              }
+              .${config.microvm.storeDiskType}
+            ];
+            passthru = {
+              inherit regInfo;
+            };
+            __structuredAttrs = true;
+            unsafeDiscardReferences.out = true;
+          }
+          ''
+            mkdir store
+            BWRAP_ARGS="--dev-bind / / --chdir $(pwd)"
+            for d in $(sort -u ${storeDiskContents}); do
+              BWRAP_ARGS="$BWRAP_ARGS --ro-bind $d $(pwd)/store/$(basename $d)"
+            done
+
+            echo Creating a ${config.microvm.storeDiskType}
+            bwrap $BWRAP_ARGS -- time ${mkfsCommand} || \
+              (
+                echo "Bubblewrap failed. Falling back to copying...">&2
+                cp -a $(sort -u ${storeDiskContents}) store/
+                time ${mkfsCommand}
+              )
+          '';
+    })
+
+    (lib.mkIf (config.microvm.registerClosure && config.nix.enable) {
+      microvm.kernelParams = [
+        "regInfo=${regInfo}/registration"
+      ];
+      boot.postBootCommands = ''
+        if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then
+          ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]}
+        fi
+      '';
+    })
+  ];
+}