else/uvms
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

profiles: init (vsock ssh &c.)

Browse source
This commit is contained in:
Else, Someone 2025-09-17 16:51:24 +03:00
parent 12e95630b1
commit 1828835a1d
8 changed files with 228 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
examples/dummy.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
../profiles/all.nix
];
# following microvm.nix:
boot.loader.grub.enable = false;
fileSystems."/" = lib.mkDefault {
device = "rootfs"; # how does this work? does this assign a label to the tmpfs?
fsType = "tmpfs";
options = [ "size=10%,mode=0755" ];
neededForBoot = true;
};
# TODO: cmdline, kernel, initrd, fileSystems
}

5
profiles/all.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = builtins.concatMap (name: if name == "all.nix" then [ ] else [ (./. + "/${name}") ]) (
builtins.attrNames (builtins.readDir ./.)
);
}

19
profiles/resources.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, options, lib, ... }:
{
config = lib.mkMerge [
{
# zswap is said to be more reliable than zram
boot.kernelParams = lib.optionals (!config.zramSwap.enable) [ "zswap.enabled=1" ];
}
(lib.optionalAttrs (options ? microvm) {
microvm = {
hypervisor = lib.mkDefault "cloud-hypervisor";
graphics.enable = lib.mkDefault true;
vcpu = lib.mkDefault 2;
hotplugMem = lib.mkDefault (2 * 1024);
hotpluggedMem = lib.mkDefault 512;
};
})
];
}

47
profiles/uvms-guest.nix Normal file
View file

@ -0,0 +1,47 @@
{
options,
lib,
pkgs,
...
}:
{
imports = [
./vsock-connect-guest.nix
./uvms-users.nix
];
config = lib.optionalAttrs (options ? microvm) {
microvm = {
hypervisor = "cloud-hypervisor";
volumes = [
{
image = "swapfile.img";
mountPoint = "/var/swapfiles";
size = 1024;
}
];
cloud-hypervisor.extraArgs = [
"--api-socket=ch.sock"
];
};
swapDevices = [
{
device = "/var/swapfiles/swap0";
size = 768;
}
];
boot.kernelParams = [ "zswap.enabled=1" ];
zramSwap.enable = false;
systemd.services."microvm@".serviceConfig.ExecStartPost =
pkgs.writeShellScript "microvm-fix-umask" ''
if [[ -e CONNECT.vsock ]] ; then
chmod g+r CONNECT.vsock
fi
'';
systemd.tmpfiles.settings."10-muvm" = {
"/var/lib/microvms/*/CONNECT.sock".z.mode = "660";
};
};
}

87
profiles/uvms-users.nix Normal file
View file

@ -0,0 +1,87 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.uvms.users;
authorizedKeys.keys = config.uvms.users.pubkeys.ssh;
mergeIf = cond: modules: lib.mkIf cond (lib.mkMerge modules);
in
{
imports = [ ./vars-use-wayland.nix ];
options = {
uvms.users.enable = lib.mkEnableOption "Set up usual immutable users (`root`, `user`)";
uvms.users.pubkeys.ssh = lib.mkOption {
description = "Authorized SSH keys for user@ and root@";
type = lib.types.listOf lib.types.str;
defalut = [ ];
};
uvms.users.pubkeys.enable =
lib.mkEnableOption "Deploy (SSH, &c) public (authorized) keys. This leaks certain public IDs into the VM"
// {
default = true;
};
uvms.users.proxyWayland = lib.mkEnableOption "Set up wayland-proxy-virtwl";
};
config = mergeIf cfg.enable [
{
services.getty.autologinUser = "user";
security.sudo.wheelNeedsPassword = false;
users.mutableUsers = false;
users.users.user = {
password = lib.mkDefault "hacktheplanet!";
isNormalUser = true;
createHome = true;
extraGroups = [
"video"
"wheel"
];
uid = 1000;
};
systemd.tmpfiles.settings."10-user-home" = {
"/home/user".z = {
user = "user";
group = "users";
};
};
}
(lib.mkIf cfg.deployPubkeys {
users.users.root.openssh = { inherit authorizedKeys; };
users.users.user.openssh = { inherit authorizedKeys; };
})
(lib.mkIf cfg.proxyWayland {
hardware.graphics.enable = true;
systemd.user.services.wayland-proxy = {
enable = true;
description = "Wayland Proxy";
serviceConfig = with pkgs; {
# Environment = "WAYLAND_DISPLAY=wayland-1";
ExecStart = "${wayland-proxy-virtwl}/bin/wayland-proxy-virtwl --virtio-gpu --x-display=0 --xwayland-binary=${xwayland}/bin/Xwayland --tag \"[${config.networking.hostName}]\"";
Restart = "always";
RestartSec = 5;
OOMScoreAdjust = -800;
};
wantedBy = [ "default.target" ];
};
environment.sessionVariables = {
WAYLAND_DISPLAY = "wayland-1";
};
xdg.portal = {
enable = true;
config.common.default = "*";
extraPortals = [
pkgs.xdg-desktop-portal-gtk
pkgs.xdg-desktop-portal-gnome
];
};
environment.systemPackages = [
pkgs.xdg-utils
pkgs.wl-clipboard
];
})
];
}

12
profiles/vars-use-wayland.nix Normal file
View file

@ -0,0 +1,12 @@
{
environment.sessionVariables = {
ELECTRON_OZONE_PLATFORM_HINT = "wayland";
MOZ_ENABLE_WAYLAND = "1";
QT_QPA_PLATFORM = "wayland"; # Qt Applications
GDK_BACKEND = "wayland"; # GTK Applications
XDG_SESSION_TYPE = "wayland"; # Electron Applications
SDL_VIDEODRIVER = "wayland";
CLUTTER_BACKEND = "wayland";
NIXOS_OZONE_WL = "1";
};
}

18
profiles/vsock-connect-guest.nix Normal file
View file

@ -0,0 +1,18 @@
{ options, lib, ... }:
{
config =
lib.optionalAttrs (options ? "microvm") {
microvm.cloud-hypervisor.extraArgs = [
"--vsock"
"cid=4,socket=CONNECT.sock"
];
}
// {
# Somehow, sshd calls to PAM with PAM_RHOST="UNKNOWN",
# prompting a slow DNS look-up each time...
#
# https://mastodon.acm.org/@nobody/115108458851355328
# https://github.com/linux-pam/linux-pam/issues/885#issuecomment-3030698895
networking.hosts."100::" = [ "UNKNOWN" ];
};
}

18
profiles/vsock-connect.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, pkgs, ... }:
{
programs.ssh.extraConfig =
let
ssh-proxy = pkgs.callPackage ../pkgs/ch-proxy/package.nix { };
in
''
Host vsock-mux%* uvm/* uuvm/*
ProxyCommand ${lib.getExe ssh-proxy} %h
ProxyUseFdpass yes
CheckHostIP no
# systemd: "Disable all kinds of host identity checks, since these addresses are generally ephemeral"
StrictHostKeyChecking no
'';
}