blob: e216e29794895fb1dddcfea818f0187f21440214 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
{ nixpkgs
, system
, name ? "sandbox"
, user ? "dummy"
, config ? { }
}:
with nixpkgs.lib;
let
pkgs = import nixpkgs { inherit system; };
in rec {
nixosConfigurations.${name} = nixosSystem {
inherit system;
modules = [
(nixpkgs + "/nixos/modules/profiles/minimal.nix")
{ environment.noXlibs = false; } # avoid mass rebuild
(nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
(nixpkgs + "/nixos/modules/virtualisation/qemu-vm.nix")
({ config, lib, pkgs, ... }: {
system.stateVersion = mkDefault "22.05";
networking = {
hostName = name;
firewall.enable = mkDefault false;
};
users.users.${user} = {
isNormalUser = mkDefault true;
password = mkDefault "";
extraGroups = mkDefault [ "wheel" ];
};
security.sudo.wheelNeedsPassword = mkDefault false;
services.getty = {
autologinUser = mkDefault user;
helpLine = mkDefault ''
Press <CTRL-a> <x> to terminate the virtual machine.
The working directory on the host is mounted to /mnt.
'';
};
virtualisation = {
graphics = mkDefault false;
diskImage = mkDefault "$(mktemp).qcow2";
sharedDirectories.host = {
source = "$SHARED_CWD";
target = "/mnt";
};
# Uncomment when this is merged:
# https://github.com/NixOS/nixpkgs/pull/200225
#restrictNetwork = mkDefault true;
};
})
config
];
};
packages.${name} = nixosConfigurations.${name}.config.system.build.vm;
apps.${name} = {
type = "app";
program = toString (pkgs.writeShellScript "sandbox-vm" ''
# Isolate from network
# Stopgap solution until this is merged:
# https://github.com/NixOS/nixpkgs/pull/200225
QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
export QEMU_NET_OPTS
# Save current directory for mounting in VM
SHARED_CWD=$PWD
export SHARED_CWD
${packages.${name}}/bin/run-${name}-vm
reset
'');
};
}
|