{ inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, rust-overlay }: let inherit (nixpkgs) lib; systems = [ "x86_64-linux" "aarch64-linux" ]; forAllSystems = f: nixpkgs.lib.genAttrs systems (system: let pkgs = import nixpkgs { inherit system; overlays = [ (import rust-overlay) ]; }; rust-bin = rust-overlay.lib.mkRustBin { } pkgs.buildPackages; toolchain = rust-bin.stable.latest.default.override { extensions = [ "rust-src" ]; }; in f system pkgs toolchain); in { apps = forAllSystems (system: pkgs: _: { default = self.apps.${system}.vm; vm = { type = "app"; program = "${lib.getExe self.nixosConfigurations."vm-${system}".config.system.build.vm}"; }; }); devShell = forAllSystems (system: pkgs: toolchain: pkgs.mkShell { nativeBuildInputs = with pkgs; [ toolchain cargo-edit ]; RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; }); overlays = { default = self.overlays.container-tool; container-tool = final: prev: { inherit (self.packages.${prev.stdenv.hostPlatform.system}) container-tool; }; }; packages = forAllSystems (system: pkgs: _: { default = self.packages.${system}.container-tool; container-tool = let cargoToml = builtins.fromTOML (builtins.readFile ./container-tool/Cargo.toml); in pkgs.callPackage ({ lib, rustPlatform, }: rustPlatform.buildRustPackage { pname = cargoToml.package.name; version = cargoToml.package.version; src = pkgs.lib.cleanSource ./container-tool; cargoLock.lockFile = ./container-tool/Cargo.lock; meta = with lib; { license = licenses.mit; platforms = platforms.linux ++ platforms.darwin; mainProgram = (lib.head (cargoToml.bin)).name; }; }) { }; }); nixosModules.default = ./modules/user-jails.nix; nixosConfigurations = lib.mapAttrs' (n: v: lib.nameValuePair "vm-${n}" v) (forAllSystems (system: pkgs: _: lib.nixosSystem { inherit system pkgs; modules = [ "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" self.nixosModules.default ({ config, ... }: { system.stateVersion = config.system.nixos.release; virtualisation.graphics = false; services.getty.autologinUser = "root"; users.motd = '' ================================== Welcome to the user-jails test vm! Try logging in as a user: ssh user1@localhost ssh user2@localhost user1: default jail - private networking - global users (private users doesn't work atm) - allow outside network access user2: permissive jail - global networking - global users - allow outside network access All users have password 'foobar' To exit, press Ctrl+A, then X ================================== ''; users.users.user1 = { uid = 1000; isNormalUser = true; createHome = true; password = "foobar"; }; users.users'.user1.jail = { enable = true; # Private users doesn't work inside VM for now # See https://github.com/NixOS/nixpkgs/issues/451167 useGlobalUsers = true; }; users.users.user2 = { uid = 1001; isNormalUser = true; createHome = true; password = "foobar"; }; users.users'.user2.jail = { enable = true; # bindGlobalNixStore = true; # doesn't do anything for now useGlobalNetworking = true; useGlobalUsers = true; }; # users.users.user3 = { # uid = 1002; # isNormalUser = true; # createHome = true; # password = "foobar"; # }; # users.users'.user3.jail = { # enable = true; # allowNetworking = false; # }; # MOTD description: # user3: strict jail # - private networking # - private users # - deny outside network access services.openssh.enable = true; programs.vim.enable = true; }) ]; } )); }; }