user-jails/flake.nix

{
  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";

    rust-overlay.url = "github:oxalica/rust-overlay";
    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, rust-overlay }: let
    inherit (nixpkgs) lib;

    systems = [
      "x86_64-linux"
      "aarch64-linux"
    ];

    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: let
      pkgs = import nixpkgs {
        inherit system;
        overlays = [
          (import rust-overlay)
        ];
      };

      rust-bin = rust-overlay.lib.mkRustBin { } pkgs.buildPackages;
      toolchain = rust-bin.stable.latest.default.override {
        extensions = [ "rust-src" ];
      };
    in f system pkgs toolchain);
  in {
    apps = forAllSystems (system: pkgs: _: {
      default = self.apps.${system}.vm;
      vm = {
        type = "app";
        program = "${lib.getExe self.nixosConfigurations."vm-${system}".config.system.build.vm}";
      };
    });

    devShell = forAllSystems (system: pkgs: toolchain: pkgs.mkShell {
      nativeBuildInputs = with pkgs; [
        toolchain
        cargo-edit
      ];

      RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
    });

    overlays = {
      default = self.overlays.container-tool;
      container-tool = final: prev: {
        inherit (self.packages.${prev.stdenv.hostPlatform.system}) container-tool;
      };
    };

    packages = forAllSystems (system: pkgs: _: {
      default = self.packages.${system}.container-tool;
      container-tool = let
        cargoToml = builtins.fromTOML (builtins.readFile ./container-tool/Cargo.toml);
      in pkgs.callPackage ({
        lib,
        rustPlatform,
      }:
      rustPlatform.buildRustPackage {
        pname = cargoToml.package.name;
        version = cargoToml.package.version;
        src = pkgs.lib.cleanSource ./container-tool;

        cargoLock.lockFile = ./container-tool/Cargo.lock;
        meta = with lib; {
          license = licenses.mit;
          platforms = platforms.linux ++ platforms.darwin;
          mainProgram = (lib.head (cargoToml.bin)).name;
        };
      }) { };
    });

    nixosModules.default = ./modules/user-jails.nix;

    nixosConfigurations = lib.mapAttrs' (n: v: lib.nameValuePair "vm-${n}" v) (forAllSystems (system: pkgs: _:
      lib.nixosSystem {
        inherit system pkgs;
        modules = [
          "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
          self.nixosModules.default

          ({ config, ... }: {
            system.stateVersion = config.system.nixos.release;
            virtualisation.graphics = false;

            services.getty.autologinUser = "root";

            users.motd = ''
              ==================================
              Welcome to the user-jails test vm!

              Try logging in as a user:
                  ssh user1@localhost
                  ssh user2@localhost

              user1: default jail
                - private networking
                - global users (private users doesn't work atm)
                - allow outside network access

              user2: permissive jail
                - global networking
                - global users
                - allow outside network access

              All users have password 'foobar'

              To exit, press Ctrl+A, then X
              ==================================
            '';

            users.users.user1 = {
              uid = 1000;
              isNormalUser = true;
              createHome = true;
              password = "foobar";
            };

            users.users'.user1.jail = {
              enable = true;
              # Private users doesn't work inside VM for now
              # See https://github.com/NixOS/nixpkgs/issues/451167
              useGlobalUsers = true;
            };

            users.users.user2 = {
              uid = 1001;
              isNormalUser = true;
              createHome = true;
              password = "foobar";
            };

            users.users'.user2.jail = {
              enable = true;
              # bindGlobalNixStore = true; # doesn't do anything for now
              useGlobalNetworking = true;
              useGlobalUsers = true;
            };

            # users.users.user3 = {
            #   uid = 1002;
            #   isNormalUser = true;
            #   createHome = true;
            #   password = "foobar";
            # };

            # users.users'.user3.jail = {
            #   enable = true;
            #   allowNetworking = false;
            # };

            # MOTD description:
            # user3: strict jail
            #   - private networking
            #   - private users
            #   - deny outside network access

            services.openssh.enable = true;

            programs.vim.enable = true;
          })
        ];
      }
    ));
  };
}