1 files changed, 88 insertions, 0 deletions
diff --git a/lib/mk-sandbox-system.nix b/lib/mk-sandbox-system.nix
new file mode 100644
index 0000000..6135a01
--- /dev/null
+++ b/lib/mk-sandbox-system.nix
@@ -0,0 +1,88 @@
+{ nixpkgs
+, system
+, name ? "sandbox"
+, user ? "dummy"
+, config ? { }
+}:
+with nixpkgs.lib;
+let
+  pkgs = import nixpkgs { inherit system; };
+in rec {
+  nixosConfigurations.${name} = nixosSystem {
+    inherit system;
+    modules = [
+      (nixpkgs + "/nixos/modules/profiles/minimal.nix")
+      { environment.noXlibs = false; }  # avoid mass rebuild
+      (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
+      (nixpkgs + "/nixos/modules/virtualisation/qemu-vm.nix")
+      ({ config, lib, pkgs, ... }: {
+        system.stateVersion = mkDefault "22.05";
+        networking = {
+          hostName = name;
+          firewall.enable = mkDefault false;
+        };
+        users.users.${user} = {
+          isNormalUser = mkDefault true;
+          password = mkDefault "";
+          extraGroups = mkDefault [ "wheel" ];
+        };
+        security.sudo.wheelNeedsPassword = mkDefault false;
+        services.getty = {
+          autologinUser = mkDefault user;
+          helpLine = mkDefault ''
+            Press <CTRL-a> <x> to terminate the virtual machine.
+            The working directory on the host is mounted to /mnt.
+          '';
+        };
+        virtualisation = {
+          graphics = mkDefault false;
+          diskImage = mkDefault "$(mktemp).qcow2";
+          sharedDirectories.host = {
+            source = "$SHARED_CWD";
+            target = "/mnt";
+          };
+          # Uncomment when this is merged:
+          # https://github.com/NixOS/nixpkgs/pull/200225
+          #restrictNetwork = mkDefault true;
+        };
+      })
+      config
+    ];
+  };
+  packages.${name} = nixosConfigurations.${name}.config.system.build.vm;
+  apps.${name} = {
+    type = "app";
+    program = toString (pkgs.writeShellScript "sandbox-vm" ''
+      # Isolate from network
+      # Stopgap solution until this is merged:
+      # https://github.com/NixOS/nixpkgs/pull/200225
+      QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
+      export QEMU_NET_OPTS
+      # Save current directory for mounting in VM
+      SHARED_CWD=$PWD
+      export SHARED_CWD
+      ${packages.${name}}/bin/run-${name}-vm
+    '');
+  };
+}

diff --git a/lib/mk-sandbox-system.nix b/lib/mk-sandbox-system.nix new file mode 100644 index 0000000..6135a01 --- /dev/null +++ b/lib/mk-sandbox-system.nix
@@ -0,0 +1,88 @@
	1	{ nixpkgs
	2	, system
	3	, name ? "sandbox"
	4	, user ? "dummy"
	5	, config ? { }
	6	}:
	7
	8	with nixpkgs.lib;
	9
	10	let
	11	pkgs = import nixpkgs { inherit system; };
	12
	13	in rec {
	14
	15	nixosConfigurations.${name} = nixosSystem {
	16	inherit system;
	17
	18	modules = [
	19	(nixpkgs + "/nixos/modules/profiles/minimal.nix")
	20	{ environment.noXlibs = false; } # avoid mass rebuild
	21
	22	(nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
	23	(nixpkgs + "/nixos/modules/virtualisation/qemu-vm.nix")
	24
	25	({ config, lib, pkgs, ... }: {
	26
	27	system.stateVersion = mkDefault "22.05";
	28
	29	networking = {
	30	hostName = name;
	31	firewall.enable = mkDefault false;
	32	};
	33
	34	users.users.${user} = {
	35	isNormalUser = mkDefault true;
	36	password = mkDefault "";
	37	extraGroups = mkDefault [ "wheel" ];
	38	};
	39
	40	security.sudo.wheelNeedsPassword = mkDefault false;
	41
	42	services.getty = {
	43	autologinUser = mkDefault user;
	44	helpLine = mkDefault ''
	45	Press <CTRL-a> <x> to terminate the virtual machine.
	46	The working directory on the host is mounted to /mnt.
	47	'';
	48	};
	49
	50	virtualisation = {
	51	graphics = mkDefault false;
	52	diskImage = mkDefault "$(mktemp).qcow2";
	53
	54	sharedDirectories.host = {
	55	source = "$SHARED_CWD";
	56	target = "/mnt";
	57	};
	58
	59	# Uncomment when this is merged:
	60	# https://github.com/NixOS/nixpkgs/pull/200225
	61	#restrictNetwork = mkDefault true;
	62	};
	63	})
	64
	65	config
	66	];
	67	};
	68
	69	packages.${name} = nixosConfigurations.${name}.config.system.build.vm;
	70
	71	apps.${name} = {
	72	type = "app";
	73	program = toString (pkgs.writeShellScript "sandbox-vm" ''
	74	# Isolate from network
	75	# Stopgap solution until this is merged:
	76	# https://github.com/NixOS/nixpkgs/pull/200225
	77	QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
	78	export QEMU_NET_OPTS
	79
	80	# Save current directory for mounting in VM
	81	SHARED_CWD=$PWD
	82	export SHARED_CWD
	83
	84	${packages.${name}}/bin/run-${name}-vm
	85	'');
	86	};
	87
	88	}