profiles: init (vsock ssh &c.)

profiles/all.nix

@@ -0,0 +1,5 @@
+{
+  imports = builtins.concatMap (name: if name == "all.nix" then [ ] else [ (./. + "/${name}") ]) (
+    builtins.attrNames (builtins.readDir ./.)
+  );
+}

profiles/resources.nix

@@ -0,0 +1,19 @@
+{ config, options, lib, ... }:
+
+{
+  config = lib.mkMerge [
+    {
+      # zswap is said to be more reliable than zram
+      boot.kernelParams = lib.optionals (!config.zramSwap.enable) [ "zswap.enabled=1" ];
+    }
+    (lib.optionalAttrs (options ? microvm) {
+      microvm = {
+        hypervisor = lib.mkDefault "cloud-hypervisor";
+        graphics.enable = lib.mkDefault true;
+        vcpu = lib.mkDefault 2;
+        hotplugMem = lib.mkDefault (2 * 1024);
+        hotpluggedMem = lib.mkDefault 512;
+      };
+    })
+  ];
+}

profiles/uvms-guest.nix

@@ -0,0 +1,47 @@
+{
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./vsock-connect-guest.nix
+    ./uvms-users.nix
+  ];
+  config = lib.optionalAttrs (options ? microvm) {
+    microvm = {
+      hypervisor = "cloud-hypervisor";
+      volumes = [
+        {
+          image = "swapfile.img";
+          mountPoint = "/var/swapfiles";
+          size = 1024;
+        }
+      ];
+      cloud-hypervisor.extraArgs = [
+        "--api-socket=ch.sock"
+      ];
+    };
+    swapDevices = [
+      {
+        device = "/var/swapfiles/swap0";
+        size = 768;
+      }
+    ];
+
+    boot.kernelParams = [ "zswap.enabled=1" ];
+    zramSwap.enable = false;
+
+    systemd.services."microvm@".serviceConfig.ExecStartPost =
+      pkgs.writeShellScript "microvm-fix-umask" ''
+        if [[ -e CONNECT.vsock ]] ; then
+          chmod g+r CONNECT.vsock
+        fi
+      '';
+
+    systemd.tmpfiles.settings."10-muvm" = {
+      "/var/lib/microvms/*/CONNECT.sock".z.mode = "660";
+    };
+  };
+}

profiles/uvms-users.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.uvms.users;
+  authorizedKeys.keys = config.uvms.users.pubkeys.ssh;
+  mergeIf = cond: modules: lib.mkIf cond (lib.mkMerge modules);
+in
+
+{
+  imports = [ ./vars-use-wayland.nix ];
+  options = {
+    uvms.users.enable = lib.mkEnableOption "Set up usual immutable users (`root`, `user`)";
+    uvms.users.pubkeys.ssh = lib.mkOption {
+      description = "Authorized SSH keys for user@ and root@";
+      type = lib.types.listOf lib.types.str;
+      defalut = [ ];
+    };
+    uvms.users.pubkeys.enable =
+      lib.mkEnableOption "Deploy (SSH, &c) public (authorized) keys. This leaks certain public IDs into the VM"
+      // {
+        default = true;
+      };
+    uvms.users.proxyWayland = lib.mkEnableOption "Set up wayland-proxy-virtwl";
+  };
+  config = mergeIf cfg.enable [
+    {
+      services.getty.autologinUser = "user";
+      security.sudo.wheelNeedsPassword = false;
+      users.mutableUsers = false;
+      users.users.user = {
+        password = lib.mkDefault "hacktheplanet!";
+        isNormalUser = true;
+        createHome = true;
+        extraGroups = [
+          "video"
+          "wheel"
+        ];
+        uid = 1000;
+      };
+      systemd.tmpfiles.settings."10-user-home" = {
+        "/home/user".z = {
+          user = "user";
+          group = "users";
+        };
+      };
+    }
+    (lib.mkIf cfg.deployPubkeys {
+      users.users.root.openssh = { inherit authorizedKeys; };
+      users.users.user.openssh = { inherit authorizedKeys; };
+    })
+    (lib.mkIf cfg.proxyWayland {
+      hardware.graphics.enable = true;
+      systemd.user.services.wayland-proxy = {
+        enable = true;
+        description = "Wayland Proxy";
+        serviceConfig = with pkgs; {
+          # Environment = "WAYLAND_DISPLAY=wayland-1";
+          ExecStart = "${wayland-proxy-virtwl}/bin/wayland-proxy-virtwl --virtio-gpu --x-display=0 --xwayland-binary=${xwayland}/bin/Xwayland --tag \"[${config.networking.hostName}]\"";
+          Restart = "always";
+          RestartSec = 5;
+          OOMScoreAdjust = -800;
+        };
+        wantedBy = [ "default.target" ];
+      };
+      environment.sessionVariables = {
+        WAYLAND_DISPLAY = "wayland-1";
+      };
+      xdg.portal = {
+        enable = true;
+        config.common.default = "*";
+        extraPortals = [
+          pkgs.xdg-desktop-portal-gtk
+          pkgs.xdg-desktop-portal-gnome
+        ];
+      };
+      environment.systemPackages = [
+        pkgs.xdg-utils
+        pkgs.wl-clipboard
+      ];
+    })
+  ];
+}

profiles/vars-use-wayland.nix

@@ -0,0 +1,12 @@
+{
+  environment.sessionVariables = {
+    ELECTRON_OZONE_PLATFORM_HINT = "wayland";
+    MOZ_ENABLE_WAYLAND = "1";
+    QT_QPA_PLATFORM = "wayland"; # Qt Applications
+    GDK_BACKEND = "wayland"; # GTK Applications
+    XDG_SESSION_TYPE = "wayland"; # Electron Applications
+    SDL_VIDEODRIVER = "wayland";
+    CLUTTER_BACKEND = "wayland";
+    NIXOS_OZONE_WL = "1";
+  };
+}

profiles/vsock-connect-guest.nix

@@ -0,0 +1,18 @@
+{ options, lib, ... }:
+{
+  config =
+    lib.optionalAttrs (options ? "microvm") {
+      microvm.cloud-hypervisor.extraArgs = [
+        "--vsock"
+        "cid=4,socket=CONNECT.sock"
+      ];
+    }
+    // {
+      # Somehow, sshd calls to PAM with PAM_RHOST="UNKNOWN",
+      # prompting a slow DNS look-up each time...
+      #
+      # https://mastodon.acm.org/@nobody/115108458851355328
+      # https://github.com/linux-pam/linux-pam/issues/885#issuecomment-3030698895
+      networking.hosts."100::" = [ "UNKNOWN" ];
+    };
+}

profiles/vsock-connect.nix

@@ -0,0 +1,18 @@
+{ lib, pkgs, ... }:
+
+{
+  programs.ssh.extraConfig =
+    let
+      ssh-proxy = pkgs.callPackage ../pkgs/ch-proxy/package.nix { };
+    in
+    ''
+      Host vsock-mux%* uvm/* uuvm/*
+          ProxyCommand ${lib.getExe ssh-proxy} %h
+          ProxyUseFdpass yes
+          CheckHostIP no
+
+          # systemd: "Disable all kinds of host identity checks, since these addresses are generally ephemeral"
+          StrictHostKeyChecking no
+    '';
+
+}