muhammed/dev-vm: Add development VM

author: Linnnus <[email protected]> 2025-02-15 10:37:08 +0100
committer: Linnnus <[email protected]> 2025-02-15 10:50:02 +0100
commit: 4bbe4ecb4fe61275640513a03a4a4fa4746193fe (patch)
tree: 5be14fbb60ea754cf9af94289e3d68295d3854bb /hosts
parent: f39c3be2f03e810fddaae3b3c263d350013cea28 (diff)
10 files changed, 211 insertions, 0 deletions
diff --git a/hosts/muhammed/configuration.nix b/hosts/muhammed/configuration.nix
index 54fd36e..3fa1290 100644
--- a/hosts/muhammed/configuration.nix
+++ b/hosts/muhammed/configuration.nix
@@ -10,6 +10,7 @@
     ../../shared/nixos-and-darwin/common-hm-settings
 
     ./remote-builders
+    ./dev-vm
     ./update-git-repos
   ];
 
diff --git a/hosts/muhammed/dev-vm/configuration/configuration.nix b/hosts/muhammed/dev-vm/configuration/configuration.nix
new file mode 100644
index 0000000..9659293
--- /dev/null
+++ b/hosts/muhammed/dev-vm/configuration/configuration.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  hostPkgs,
+  workingDirectory,
+  ...
+}: {
+  imports = [
+    ../../../../shared/nixos/danish
+    ../../../../shared/nixos/common-nix-settings
+    ../../../../shared/nixos/common-shell-settings
+    ../../../../shared/nixos-and-darwin/common-hm-settings
+
+    ./virtualization.nix
+    ./ssh.nix
+    ./user.nix
+  ];
+
+  networking.hostName = "dev-vm";
+
+  system.build.macos-vm-installer = hostPkgs.writeShellScriptBin "create-builder" ''
+    set -euo pipefail
+
+    ${lib.optionalString (workingDirectory != ".") ''
+      # When running as non-interactively as part of a DarwinConfiguration the working directory
+      # must be set to a writeable directory.
+      ${hostPkgs.coreutils}/bin/mkdir --parent -- ${lib.escapeShellArg workingDirectory}
+      cd -- ${lib.escapeShellArg workingDirectory}
+    ''}
+
+    ${lib.getExe config.system.build.vm}
+  '';
+}
diff --git a/hosts/muhammed/dev-vm/configuration/ssh.nix b/hosts/muhammed/dev-vm/configuration/ssh.nix
new file mode 100644
index 0000000..fbafc62
--- /dev/null
+++ b/hosts/muhammed/dev-vm/configuration/ssh.nix
@@ -0,0 +1,24 @@
+{...}: {
+  services.openssh.enable = true;
+
+  # Allow incomming connections from the VM host.
+  users.users.linus.openssh.authorizedKeys.keyFiles = [(toString ../keys/ssh_vmhost_ed25519_key.pub)];
+
+  # Don't generate any host keys automatically. We will use these hardcoded
+  # ones instead. Storing keys in plaintext would normally be SUPER SUPER BAD
+  # but in this case it doesn't matter, since it's just a local VM.
+  services.openssh.hostKeys = [];
+
+  # Install the very public private key.
+  environment.etc = {
+    # Note the seemingly reversed file names: "host" in this filename is relative to the VM guest.
+    "ssh/ssh_host_ed25519_key" = {
+      mode = "0600";
+      source = ../keys/ssh_vmguest_ed25519_key;
+    };
+    "ssh/ssh_host_ed25519_key.pub" = {
+      mode = "0644";
+      source = ../keys/ssh_vmguest_ed25519_key.pub;
+    };
+  };
+}
diff --git a/hosts/muhammed/dev-vm/configuration/user.nix b/hosts/muhammed/dev-vm/configuration/user.nix
new file mode 100644
index 0000000..bf2b93f
--- /dev/null
+++ b/hosts/muhammed/dev-vm/configuration/user.nix
@@ -0,0 +1,23 @@
+{
+  # Register the user which we will be logging into from the host.
+  users.users.linus = {
+    isNormalUser = true;
+    password = "diller"; # Don't care. No security implications.
+    extraGroups = ["wheel"];
+  };
+
+  home-manager.users.linus = {
+    imports = [
+      ../../../../shared/home-manager/development-full
+    ];
+    home.stateVersion = "24.05";
+  };
+
+  # Allow passwordless sudo for easy use. We don't have to be too worried about wrecking the system.
+  security.sudo.extraRules = [
+    {
+      users = ["linus"];
+      commands = ["ALL"];
+    }
+  ];
+}
diff --git a/hosts/muhammed/dev-vm/configuration/virtualization.nix b/hosts/muhammed/dev-vm/configuration/virtualization.nix
new file mode 100644
index 0000000..bf24b4b
--- /dev/null
+++ b/hosts/muhammed/dev-vm/configuration/virtualization.nix
@@ -0,0 +1,46 @@
+{
+  hostPkgs,
+  hostPort,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/virtualisation/qemu-vm.nix"
+  ];
+
+  virtualisation.host = {pkgs = hostPkgs;};
+
+  # DNS fails for QEMU user networking (SLiRP) on macOS.
+  #
+  # This works around that by using a public DNS server other than the DNS
+  # server that QEMU provides (normally 10.0.2.3)
+  #
+  # See: https://github.com/utmapp/UTM/issues/2353
+  networking.nameservers = ["8.8.8.8"];
+
+  # System is deployed by image.
+  system.disableInstallerTools = true;
+
+  virtualisation.forwardPorts = [
+    {
+      from = "host";
+      guest.port = 22;
+      host.port = hostPort;
+    }
+  ];
+
+  # We will be connecting over SSH.
+  virtualisation.graphics = false;
+
+  # When the Nix store is shared with the VM host via 9p (the default) and the
+  # VM host is a Darwin system with the store mounted on a case-insensitive
+  # APFS volume (also the default), the case-hack will be visible on the guest.
+  #
+  # With NixOS/nixpkgs#347636 this is fixed for store images, but not for the
+  # 9P protocol. So for now we will use that as a temporary fix.
+  #
+  # See: https://github.com/NixOS/nix/issues/9319
+  # See: https://nix.dev/manual/nix/2.24/command-ref/conf-file.html#conf-use-case-hack
+  virtualisation.useNixStoreImage = true;
+  virtualisation.writableStore = true; # Only default for mounted store.
+}
diff --git a/hosts/muhammed/dev-vm/default.nix b/hosts/muhammed/dev-vm/default.nix
new file mode 100644
index 0000000..e7fb05b
--- /dev/null
+++ b/hosts/muhammed/dev-vm/default.nix
@@ -0,0 +1,68 @@
+# This module sets up a development VM which I use for developing Linux stuff
+# on this Darwin host.
+{
+  lib,
+  pkgs,
+  flakeInputs,
+  flakeOutputs,
+  metadata,
+  ...
+}: let
+  workingDirectory = "/var/lib/dev-vm";
+
+  # Port 22 on the guest is forwarded to this port on the host.
+  port = 31023;
+
+  guest-system = import "${pkgs.path}/nixos" {
+    configuration = {
+      imports = [
+        {
+          _module.args = {
+            hostPkgs = pkgs;
+            hostPort = port;
+            inherit workingDirectory flakeInputs flakeOutputs metadata;
+          };
+        }
+        flakeInputs.home-manager.nixosModules.home-manager
+        flakeInputs.agenix.nixosModules.default
+        ./configuration/configuration.nix
+      ];
+    };
+    system = builtins.replaceStrings ["darwin"] ["linux"] pkgs.stdenv.hostPlatform.system;
+  };
+in {
+  system.activationScripts.preActivation.text = ''
+    mkdir -p ${lib.escapeShellArg workingDirectory}
+  '';
+
+  launchd.agents.dev-vm = {
+    script = ''
+      # create-builder uses TMPDIR to share files with the builder, notably certs.
+      # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
+      # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
+      # So we'll use /run/org.nixos.dev-vm instead and clean it up ourselves.
+      export TMPDIR=/run/org.nixos.dev-vm
+      export USE_TMPDIR=1
+
+      rm -rf "$TMPDIR"
+      mkdir -p "$TMPDIR"
+      trap 'rm -rf "$TMPDIR"' EXIT
+
+      ${guest-system.config.system.build.macos-vm-installer}/bin/create-builder
+    '';
+
+    serviceConfig = {
+      KeepAlive = true;
+      RunAtLoad = true;
+      WorkingDirectory = workingDirectory;
+    };
+  };
+
+  environment.etc."ssh/ssh_config.d/100-dev-vm.conf".text = ''
+    Host ${guest-system.config.networking.hostName}
+      User linus # Also hardcoded in `configuration.nix`.
+      Hostname localhost
+      Port ${toString port}
+      IdentityFile ${./keys/ssh_vmhost_ed25519_key}
+  '';
+}
diff --git a/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key b/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key
new file mode 100644
index 0000000..6452f7c
--- /dev/null
+++ b/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAO3LQOkRUaZzC8yHFW0+Wp6Ax3QsftNp6hlVsKeyh11gAAAJhSD0sNUg9L
+DQAAAAtzc2gtZWQyNTUxOQAAACAO3LQOkRUaZzC8yHFW0+Wp6Ax3QsftNp6hlVsKeyh11g
+AAAEClA0qa/lQtOR0/LNNl1kZy3apqcZ7sqlwxxahaEAcWiw7ctA6RFRpnMLzIcVbT5ano
+DHdCx+02nqGVWwp7KHXWAAAADmxpbnVzQG11aGFtbWVkAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key.pub b/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key.pub
new file mode 100644
index 0000000..1d52ccc
--- /dev/null
+++ b/hosts/muhammed/dev-vm/keys/ssh_vmguest_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7ctA6RFRpnMLzIcVbT5anoDHdCx+02nqGVWwp7KHXW linus@muhammed
diff --git a/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key b/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key
new file mode 100644
index 0000000..dc4e120
--- /dev/null
+++ b/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACATv/7WLWrdsK14Ve5s8spym4lEstPnPYRG6IGHCfwbMQAAAJi/z+mkv8/p
+pAAAAAtzc2gtZWQyNTUxOQAAACATv/7WLWrdsK14Ve5s8spym4lEstPnPYRG6IGHCfwbMQ
+AAAECDdmZO8TzLqIjLnyB6NjU2G8GTHzAIhvIomm0n5CJBfxO//tYtat2wrXhV7mzyynKb
+iUSy0+c9hEbogYcJ/BsxAAAADmxpbnVzQG11aGFtbWVkAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key.pub b/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key.pub
new file mode 100644
index 0000000..60d161c
--- /dev/null
+++ b/hosts/muhammed/dev-vm/keys/ssh_vmhost_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBO//tYtat2wrXhV7mzyynKbiUSy0+c9hEbogYcJ/Bsx
author	Linnnus <[email protected]>	2025-02-15 10:37:08 +0100
committer	Linnnus <[email protected]>	2025-02-15 10:50:02 +0100
commit	4bbe4ecb4fe61275640513a03a4a4fa4746193fe (patch)
tree	5be14fbb60ea754cf9af94289e3d68295d3854bb /hosts
parent	f39c3be2f03e810fddaae3b3c263d350013cea28 (diff)