From cf0f2f7c33ae1ff3519731ad14c52ce64aba7e26 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Tue, 10 Dec 2024 06:43:11 +0100
Subject: [PATCH] kata-image: allow remount service to manage /run

We're configuring a tmpfs with 50% of the VMs memory capacity in
kata.nix, but this configuration is only applied by
systemd-remount-fs.service, which we thus need to enable. That service
tries to remount all filesystems, though, so we need to define them
correctly in the first place so that they can be remounted. In our case,
that meant defining the / mount as read-only.
---
 packages/nixos/system.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/packages/nixos/system.nix b/packages/nixos/system.nix
index 553accc30..ed36be122 100644
--- a/packages/nixos/system.nix
+++ b/packages/nixos/system.nix
@@ -47,6 +47,7 @@
       "/" = {
         device = "/dev/mapper/root";
         fsType = "erofs";
+        options = [ "ro" ];
       };
     }
     # Create tmpfs on directories that need to be writable for activation.
@@ -72,10 +73,6 @@
         ]
     );
 
-  # We cant remount anything in the userspace, as we already
-  # have the rootfs mounted read-only from the initrd.
-  systemd.suppressedSystemUnits = [ "systemd-remount-fs.service" ];
-
   networking.firewall.enable = false;
 
   nixpkgs.hostPlatform.system = "x86_64-linux";