Add SSH

Author: shlevy

.envrc

@@ -0,0 +1,2 @@
+watch_file *.nix
+use flake . --impure

.gitignore

@@ -0,0 +1,4 @@
+.devenv
+.direnv
+.pre-commit-config.yaml
+nixos.qcow2

README.md

@@ -0,0 +1,7 @@
+# VM
+Host marlowe-vm
+     HostName localhost
+     Port 2221
+     ForwardAgent yes
+     StrictHostKeyChecking no
+     UserKnownHostsFile /dev/null

access.nix

@@ -0,0 +1,51 @@
+{ lib, config, pkgs, ... }:
+let
+  inherit (lib) types mkOption;
+  userType = types.submodule {
+    options = {
+      admin = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether the user is an admin";
+      };
+      keys = mkOption {
+        type = types.listOf types.str;
+        description = "The user's SSH public key";
+      };
+      name = mkOption {
+        type = types.str;
+        description = "The user's name";
+      };
+    };
+  };
+in {
+  options = {
+    marlowe.users = lib.mkOption {
+      type = lib.types.attrsOf userType;
+      internal = true;
+      description = "The users with access to the machine";
+    };
+  };
+  config = {
+    marlowe.users = lib.importTOML ./users.toml;
+
+    users.users = lib.mapAttrs (_: user:
+      {
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = user.keys;
+        description = user.name;
+      } // lib.optionalAttrs user.admin { extraGroups = [ "wheel" ]; })
+      config.marlowe.users;
+
+    # Enable SSH + mosh
+    environment.systemPackages = with pkgs; [ mosh ];
+    services.openssh.enable = true;
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    networking.firewall.allowedUDPPortRanges = lib.singleton {
+      from = 60001;
+      to = 60999;
+    };
+    security.pam.enableSSHAgentAuth = true;
+    security.pam.services.sudo.sshAgentAuth = true;
+  };
+}

bootloader.nix

@@ -0,0 +1,4 @@
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

configuration.nix

@@ -0,0 +1,7 @@
+{
+  imports = [ ./access.nix ./bootloader.nix ./vm.nix ];
+
+  nixpkgs.localSystem.system = "x86_64-linux";
+
+  system.stateVersion = "23.11";
+}

flake.lock

@@ -0,0 +1,43 @@
+{
+  inputs = {
+    # When updating past 23.11, use runtimeEnv in writeShellApplication
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    devenv.url = "github:cachix/devenv";
+  };
+
+  outputs = inputs@{ flake-parts, devenv, nixpkgs, self }:
+    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
+      imports = [ devenv.flakeModule ];
+      systems = [ "x86_64-linux" ];
+      flake.nixosConfigurations.marlowe = nixpkgs.lib.nixosSystem {
+        modules = lib.singleton ./configuration.nix;
+      };
+
+      perSystem = { pkgs, ... }:
+        let
+          utilities = {
+            start-vm = pkgs.writeShellApplication {
+              name = "start-vm";
+              text = ''
+                export QEMU_NET_OPTS="hostfwd=tcp::2221-:22"
+                exec run-nixos-vm
+              '';
+              runtimeInputs =
+                [ self.nixosConfigurations.marlowe.config.system.build.vm ];
+            };
+          };
+        in {
+          apps =
+            lib.mapAttrs (name: prog: { program = "${prog}/bin/${name}"; });
+          devenv.shells.default = {
+            pre-commit.hooks = {
+              nixfmt.enable = true;
+              deadnix.enable = true;
+              statix.enable = true;
+            };
+            packages = with pkgs;
+              [ nixos-rebuild ] ++ lib.mapAttrsToList (_: prog: prog) utilities;
+          };
+        };
+    });
+}