initial commit

templates/microvm/.envrc

@@ -0,0 +1 @@
+use flake

templates/microvm/.gitignore

@@ -0,0 +1,2 @@
+*.img
+.direnv/

templates/microvm/README.md

@@ -0,0 +1,67 @@
+# microvm
+
+[microvm](https://github.com/microvm-nix/microvm.nix) NixOS configuration.
+
+## Setup
+
+To be able to rebuild remotely and for convenient ssh access, add the uvm host to your Home Manager ssh configuration:
+
+```nix
+programs.ssh.matchBlocks = {
+  uvm = {
+    host = "uvm";
+    hostname = "localhost";
+    port = 2222;
+    user = "root";
+    checkHostIP = false;
+  };
+};
+```
+
+Create a new directory and initialize the template inside of it:
+
+```bash
+mkdir -p microvm
+cd microvm
+nix flake init -t git+https://git.sid.ovh/sid/synix#microvm
+```
+
+Add your public key to the NixOS configuration. See [`config/configuration.nix`](./config/configuration.nix).
+
+## Usage
+
+Run VM:
+
+```bash
+nix run .#microvm
+```
+
+Or with `tmux`:
+
+```bash
+tmux new-session -s microvm 'nix run .#microvm'
+```
+
+> `tmux` is available in the Nix development shell.
+
+SSH into VM:
+
+```bash
+ssh uvm
+```
+
+Remote rebuilding:
+
+```bash
+nix run .#rebuild <build-host> uvm
+```
+
+> Note: `<build-host>` needs to be a remote host where you login as root via ssh with no password.
+
+If you need to use remote sudo, you can also use [synix's rebuild script](https://git.sid.ovh/sid/synix/blob/master/modules/nixos/common/rebuild.sh) for remote rebuilds. But then, the root user password cannot be empty:
+
+```bash
+rebuild -p . -H uvm -T uvm -B <build-host>
+```
+
+You might want to set up [PAM's SSH agent Auth](https://search.nixos.org/options?channel=unstable&query=sshAgentAuth) or use an [askpass helper](https://search.nixos.org/options?channel=unstable&query=askpass).

templates/microvm/config/base.nix

@@ -0,0 +1,84 @@
+# Edit this only if you know what you're doing.
+{ inputs, outputs, ... }:
+
+{
+  imports = [
+    inputs.microvm.nixosModules.microvm
+  ];
+
+  networking.hostName = "uvm";
+
+  users.users.root = {
+    password = "";
+  };
+  services.getty.autologinUser = "root";
+
+  microvm = {
+    volumes = [
+      {
+        mountPoint = "/var";
+        image = "var.img";
+        size = 256;
+      }
+    ];
+    shares = [
+      {
+        proto = "9p";
+        tag = "ro-store";
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+    ];
+    interfaces = [
+      {
+        type = "user";
+        id = "qemu";
+        mac = "02:00:00:00:00:01";
+      }
+    ];
+    forwardPorts = [
+      {
+        host.port = 2222;
+        guest.port = 22;
+      }
+    ];
+    optimize.enable = true;
+    hypervisor = "qemu";
+    socket = "control.socket";
+  };
+
+  nix = {
+    channel.enable = false;
+    settings = {
+      experimental-features = "nix-command flakes";
+      builders-use-substitutes = true;
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+        "https://microvm.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys="
+      ];
+    };
+  };
+
+  nixpkgs.overlays = [
+    outputs.overlays.synix-packages
+    outputs.overlays.local-packages
+  ];
+
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    openFirewall = true;
+    settings = {
+      PermitRootLogin = "yes";
+      PasswordAuthentication = false;
+    };
+  };
+
+  system.stateVersion = "25.11";
+}

templates/microvm/config/configuration.nix

@@ -0,0 +1,10 @@
+{
+  users.users.root = {
+    openssh.authorizedKeys.keyFiles = [
+      # copy your public key here and point to it
+      # ./id_rsa.pub
+    ];
+  };
+
+  # Add the rest of your configuration here
+}

templates/microvm/config/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./base.nix
+    ./configuration.nix
+  ];
+}

templates/microvm/flake.nix

@@ -0,0 +1,96 @@
+{
+  description = "MicroVM NixOS configurations";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    microvm.url = "github:microvm-nix/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
+
+    synix.url = "git+https://git.sid.ovh/sid/synix.git?ref=release-25.11";
+    synix.imputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      ...
+    }@inputs:
+    let
+      inherit (self) outputs;
+
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+
+      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+
+      lib = nixpkgs.lib.extend (final: prev: inputs.synix.lib or { });
+
+      mkApp = program: description: {
+        type = "app";
+        inherit program;
+        meta.description = description;
+      };
+
+      mkNixosConfiguration =
+        system: modules:
+        nixpkgs.lib.nixosSystem {
+          inherit system modules;
+          specialArgs = {
+            inherit inputs outputs lib;
+          };
+        };
+    in
+    {
+      apps = forAllSystems (
+        system:
+        let
+          microvm = self.nixosConfigurations."microvm-${system}".config.microvm;
+          inherit (nixpkgs.lib) getExe;
+        in
+        {
+          rebuild = mkApp (getExe microvm.deploy.rebuild) "Rebuild the VM.";
+          microvm = mkApp (getExe microvm.declaredRunner) "Run the VM.";
+        }
+      );
+
+      packages = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        import ./pkgs { inherit pkgs; }
+      );
+
+      overlays = import ./overlays { inherit (self) inputs; };
+
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        {
+          default = pkgs.mkShell {
+            buildInputs = with pkgs; [
+              tmux
+            ];
+          };
+          # FIXME: `microvm.deploy.rebuild` does not seem to care about askpass
+          # shellHook = ''
+          #   export SSH_ASKPASS="pass <SUDO_BUILD_HOST_PASSWORD>"
+          #   export SSH_ASKPASS_REQUIRE="force"
+          # '';
+        }
+      );
+
+      nixosModules = import ./modules;
+
+      nixosConfigurations = {
+        microvm-x86_64-linux = mkNixosConfiguration "x86_64-linux" [ ./config ];
+        microvm-aarch64-linux = mkNixosConfiguration "aarch64-linux" [ ./config ];
+      };
+    };
+}

templates/microvm/modules/default.nix

@@ -0,0 +1,3 @@
+{
+  # example = import ./example;
+}

templates/microvm/overlays/default.nix

@@ -0,0 +1,7 @@
+{ inputs, ... }:
+
+{
+  synix-packages = final: prev: { synix = inputs.synix.overlays.additions final prev; };
+
+  local-packages = final: prev: { local = import ../pkgs { pkgs = final; }; };
+}

templates/microvm/pkgs/default.nix

@@ -0,0 +1,5 @@
+{ pkgs, ... }:
+
+{
+  # example = pkgs.callPackage ./example { };
+}